Servers Cha 8- Configuring and Managing Network Services

debug logging

If the information in the DNS Server log is not sufficient to locate a solution to the problem, you can enable debug logging to obtain more detailed information. Debug logging allows you to record packet-by-packet information about the queries that the DNS server receives. To enable debug logging on your DNS server, access the Debug Logging tab of DNS server properties.

netmask ordering

If a client computer with the IP address 172.16.0.100 performs the same forward lookup of server1.domainX.com, the DNS server will always respond with the IP address 172.16.0.61 listed first. This feature, netmask ordering, takes precedence over round robin.

Creating Resource Records

After creating a forward or reverse lookup zone, you can manually create resource records in a zone. For zones that allow dynamic updates, you still need to manually create CNAME and MX records as well as host records that provide for round robin or netmask ordering. You may also create host and PTR records for computers that are unable to automatically update their resource records in the zone because they are configured to use a different DNS server or run an operating system that does not support dynamic update

Configuring Zone Properties

After you have created a primary zone, you can right-click it in DNS Manager and click Properties to modify the zone type and options as well as the default zone records. The General tab of zone properties shown in Figure 8-16 allows you to pause lookup responses for the zone as well as change the zone type, the Active Directory-integrated zone replication options (if applicable), and dynamic update configuration. If the zone is configured to accept dynamic updates, resource records are created automatically, but they are not automatically removed by default. As a result, zones that accept dynamic updates often accumulate stale resource records that represent computers that are no longer present on the network because they have failed or have been decommissioned or redeployed. To automatically remove stale resource records (a process called scavenging), click the Aging button in Figure 8-16 and select Scavenge stale resource records in the Zone Aging/Scavenging Properties window, as shown in Figure 8-17. The default No-refresh interval shown in Figure 8-17 marks resource records as stale if the associated computer does not perform a dynamic update within 7 days, while the Refresh interval will tag stale records for scavenging 7 days following the No-refresh interval. As a result, resource records are made available for scavenging if a computer fails to perform a dynamic update within 14 days. Scavenging only removes records created using dynamic update. Manually created DNS records are never scavenged

Creating Secondary Zones

After zone transfers have been allowed to your DNS server in the properties of a primary forward or reverse lookup zone, you can create an associated secondary zone on your DNS server. To create a secondary forward lookup zone, right-click the Forward Lookup Zones folder shown earlier Figure 8-3 and click New Zone to start the New Zone Wizard.

IP Address Management (IPAM)

Large organizations may deploy hundreds of DHCP and DNS servers across many locations to provide for IP configuration and FQDN name resolution. These organizations often deploy an IP Address Management (IPAM) software product that provides for centralized management of these servers.

dNS Server log

Log files are often used to troubleshoot unusual DNS problems that cannot be resolved using other methods. By default, the DNS Service logs all information to the dNS Server log. To view the entries in this log, open Event Viewer, navigate to Applications and Services Logs, and highlight DNS Server. Alternatively, you can select DNS in the navigation pane of Server Manager and view the events in the Events section. You can then reproduce the problem and view the events that occurred immediately afterward to locate information regarding the problem. By searching the event description in a search engine, such as Google, you can often find a remedy to the problem

primary dNS server,

The first DNS server in a zone is called the primary dNS server, and contains a read-write copy of a zone file that stores resource records for the zone. Additional DNS servers are called secondary dNS servers, and contain a read-only copy of the zone file from the primary DNS server that they can use to respond to DNS lookup requests. As a result, new resource records are added to the primary DNS server, and secondary DNS servers periodically copy the new records from the primary DNS server in a process known as a zone transfer.

Configuring DHCP Fault Tolerance

To provide fault tolerance for DHCP in an organization, you can configure two DHCP servers in the DMZ with scopes for each network as well as configure the DHCP relay agents in the organization to forward DHCPDISCOVER packets to these DHCP servers. If a DHCP relay agent is configured with the IP address of two DHCP servers, it will forward DHCPDISCOVER packets to the first DHCP server listed and to the second DHCP serf the first is unreachable. Moreover, you can alternate the DHCP server that is listed first in the configuration of each DHCP relay agent to distribute DHCPDISCOVER packets between the two DHCP servers in the DMZ

Using DNS Manager

To test whether a DNS server is functioning correctly, access the Monitoring tab of DNS server properties in DNS Manager. For example, if you right-click SERVERX in Figure 8-3 (shown earlier), click Properties, and highlight the Monitoring tab, you are able to perform a simple or recursive test, as shown in Figure 8-28

authoritative

A DNS server that contains resource records for one or more zones is said to be authoritative for those zones. For example, the microsoft.com DNS server in Figure 8-1 is authoritative for the micro

caching-only dNS server

A DNS server that does not contain any zones, but instead relays forward lookups and caches the results, is called a caching-only dNS server. The ISP DNS server in Figure 8-1 is an example of a caching-only DNS server.

root hints

All DNS servers contain a root hints file that contains the IP addresses of DNS servers that hold top-level DNS zones.

dHCP failover

Alternatively, you can configure dHCP failover to provide fault tolerance for IPv4 scopes on two DHCP servers. DHCP failover works in either load balance or hot standby mode. In load balance mode, each DHCP server contains identical scope and lease information and coordinates all responses to DHCPDISCOVER packets with the other DHCP server to distribute the load. In hot standby mode, each DHCP server contains identical scope and lease information, but only the first DHCP server responds to DHCPDISCOVER packets. If the first DHCP server fails, the second DHCP server starts responding to DHCPDISCOVER packets.

stub dNS servers

Alternatively, you can configure the DNS servers in each organization as stub dNS servers for the other organization's zone. As with conditional forwarders, a stub DNS server forwards requests for a target organization's zone directly to a DNS server in the target organization.

default forwarders

As a result, these organization DNS servers are also called default forwarders, as they forward requests they cannot resolve to other DNS servers instead of using root hints to perform recursive queries. Figure 8-2 illustrates the typical process used to resolve the FQDN docs.microsoft.com from a computer in an organization.

DHCP Relay

Because DHCPDISCOVER packets are broadcast to an entire LAN, routers do not forward them to other LANs by default. Thus, if no DHCP server is available on a LAN, DHCP clients will not be able to obtain an IP address lease. It is costly to place a DHCP server on each LAN in an organization, so each router in an organization is usually configured as a dHCP relay agent. When a DHCP relay agent receives a DHCPDISCOVER packet, it forwards it to a DHCP server in the DMZ network, indicating the source IP network on which the DHCPDISCOVER packet originated.

hosts file

Before a computer performs forward lookups using DNS servers, it first checks for a line in the hosts file that can be used to resolve the FQDN to an IP address. The default hosts file on Windows systems is C:\Windows\system32\drivers\etc\hosts, and the comments at the top of this file provide examples that you can follow to create entries for hosts on your network.

Troubleshooting DNS

By resolving FQDNs to IP addresses, DNS provides one of the most important services on a network. If a DNS server is unable to perform forward lookups, computers will be unable to contact the services running on other systems on the network or Internet. In many cases, you can solve DNS server-related problems by restarting the DNS Server service on the DNS server. You can restart the DNS Server service using the Restart-Service dns command in Windows PowerShell, or by running the net stop dns command followed by the net start dns command at a Command Prompt window. You can also restart the DNS Server service in DNS Manager by right-clicking your DNS server object and clicking All Tasks, Restart.

Configuring Conditional Forwarders

Conditional forwarders are an alternative to stub zones that provide the same functionality. Rather than being displayed as an additional forward lookup zone in DNS Manager, conditional forwarders are stored in their own folder. As a result, server administrators often prefer to create conditional forwarders over stub zones on DNS servers that host many forward lookup zones.

Module Summary

DNS servers provide for FQDN name resolution by hosting zone files that include resource records for each FQDN or by forwarding name resolution requests to other DNS servers. • Multiple DNS servers are used to provide fault tolerance for zone files. Primary DNS servers contain a read-write copy of a zone file, and secondary DNS servers contain a read-only copy of a zone file. Secondary DNS servers perform a zone transfer to copy new resource records from a primary DNS server. • The zone file used for Active Directory on organization DNS servers is stored in the Active Directory database and includes resource records that are created by dynamic update. • A DNS server can be configured to forward name resolution requests to another DNS server using a conditional forwarder, stub zone, default forwarder, or root hints file. Key Terms Active directory-integrated primary dNS server authoritative caching-only dNS server debug logging default forwarder • Most DNS problems are caused by incorrect resource records in a zone or DNS cache and can often be identified using the nslookup command. • You can configure a WINS server to reduce NetBIOS name broadcasts as well as ensure that NetBIOS names can be resolved for computers on other LANs in your organization. • DHCP can lease IP configuration to other computers on a network that broadcast a DHCPDISCOVER packet. Routers use DHCP relay agents to forward DHCPDISCOVER packets on each LAN to DHCP servers in a DMZ. • To provide IP configuration for DHCP clients on a network, you must configure a scope on a DHCP server that includes an IP address range and related DHCP options. You can optionally configure DHCP failover to provide fault tolerance for scopes if you have two DHCP servers.

forward lookup

DNS servers typically resolve FQDNs to IP addresses (called a forward lookup), but they can also be configured to resolve IP addresses to FQDNs (called a reverse lookup).

Configuring Default Forwarders

For lookup requests that do not match an authoritative zone or conditional forwarder, DNS servers will use root hints to perform a recursive query in order to resolve the lookup request. However, this can result in a large number of recursive lookup requests in organizations that have many DNS servers. As a result, most organizations will instead configure their DNS servers as default forwarders that relay lookup requests that cannot be resolved to an ISP DNS server or other DNS server in the organization

dHCP options

In addition to IP addresses, DHCP servers can also send client computers other IP configuration settings, such as a default gateway or DNS server. These IP configuration settings are called dHCP options and are identified by number. Table 8-3 lists common DHCP options that are often provided by DHCP servers

resolver

In the first step shown in Figure 8-1, the client computer (called the resolver) first checks its DNS cache to see if the IP address for docs.microsoft.com is listed from a previous forward lookup request. If it is not listed in the DNS cache, the client computer sends a forward lookup request (Step 2) for docs.microsoft.com to the Preferred DNS server listed in network interface properties (Figure 1-24), or the Alternate DNS server if the Preferred DNS server cannot be contacted. The Preferred DNS server is typically a DNS server at your ISP. If the ISP DNS server has recently resolved docs.microsoft.com and placed the result in its DNS cache, it returns the result immediately to the client computer (called an iterative query). If it has not, the ISP DNS server contacts a DNS server for the .com top-level zone (Step 3) and repeats the forward lookup request for docs.microsoft.com (called a recursive query). The .com DNS server will not contain the IP address for the docs.microsoft.com computer in its zone, but will reply with the IP address of a DNS server for the microsoft.com zone (Step 4).

Active directory-integrated primary dNS server

In this case, each DNS server is called an Active directory-integrated primary dNS server and contains a read-write copy of the zone file in its Active Directory database. If a new resource record is added to an Active Directory-integrated primary DNS server, it is replicated immediately using Active Directory to all other Active Directory-integrated primary DNS servers. New resource records can also be copied from an Active Directory-integrated primary DNS server to a secondary DNS server (that is not a domain controller) using a zone transfer.

NetBIoS name record

Next, click the Advanced button, select the WINS tab, and add the IP address of one or more WINS servers, as shown for 172.16.0.1 in Figure 8-30. During boot time, your computer will contact the first available WINS server listed in the IPv4 configuration of your network interface to create (or update) a NetBIoS name record that includes your NetBIOS name and IP address. Following this, your computer will contact the first available WINS server each time a NetBIOS name must be resolved, instead of sending a NetBIOS broadcast on the LAN.

dHCP policies

Policies can be used to create dHCP policies that provide a specific IP range or DHCP options for DHCP clients based on criteria in the DHCPDISCOVER packet. To create a DHCP policy, highlight this folder and click More Actions, New Policy in the Actions pane.

zone

Recall from Module 1 that DNS is a hierarchical namespace used to identify computers on large IP networks such as the Internet. Each part of this namespace is called a zone, and DNS servers have resource records that contain the FQDN and IP information for computers in a zone

Reservations

Reservations allow you to provide the same IP address each time a DHCPDISCOVER is received from a DHCP client that has a certain MAC address. Reservations are often created for network-attached printers, servers, and network devices ththat mus eceive an IP address from a DHCP server that does not change over time. To create a reservation that always provides the IP address 192.168.100.100 to a network-attached printer called Ricoh 8220LP (with MAC address 80:a2:f4:77:4f:8b), highlight this folder, click More Actions, New Reservation in the Actions pane, and supply the options shown in Figure 8-46

MAC address filtering

Some organizations configure MAC address filtering on a DHCP server to restrict IP leases to computers that were purchased by the organization. Alternatively, MAC address filtering can be used to prevent one or more computers from obtaining an IP lease from a DHCP server while allowing all others. To configure MAC address filtering in the DHCP tool, access the Filters folder shown in Figure 8-36 and perform one of two procedures

scopes

The DHCP tool uses scopes to organize the settings for each IPv4 and IPv6 network that it can provide IP configuration for. The DHCP server shown in Figure 8-36 contains a scope called Accounting LAN that provides IP configuration for the 192.168.100.0 network. To configure a DHCP server, you must create scopes that represent each of the networks for which you wish to provide IP configuration

Time To live (TTl)

The amount of time that a computer is able to cache the result of a lookup is determined by the Time To live (TTl) property of the resource record.

The DHCP Lease Process

The process by which a DHCP client requests IP configuration from a DHCP server involves several stages. First, the client sends a request (DHCPDISCOVER packet) to all hosts on the LAN. In reply, a DHCP server sends an offer (DHCPOFFER packet) that contains a potential IP configuration. The DHCP client then selects (accepts) the offer by sending a DHCPREQUEST packet to the associated DHCP server. Next, the DHCP server sends to the client an acknowledgment indicating the amount of time the client can use the IP configuration (DHCPACK packet). Finally, the client configures itself with the IP configuration. This process is illustrated in Figure 8-34.

dHCP Server

To configure Windows Server 2019 as a DHCP server, you must first install and authorize the dHCP Server role. Authorizing the DHCP Server role after installation is necessary in an Active Directory environment. This is because the DHCP Server service sends a DHCPINFORM packet on the network each time it starts requesting authorization from a domain controller. If the DHCP Server role has not been previously authorized in the Active Directory domain, the authorization request will be rejected by a domain controller on the network and the DHCP Server service will shut down. If you install the DHCP Server role using the Add Roles and Features Wizard in Server Manager while logged in as user account with domain privileges, you can authorize it on the final page, as shown in Figure 8-35. If you click Complete DHCP configuration in Figure 8-35, click Next and Commit to authorize your DHCP server in Active Directory. This also creates the DHCP Administrators and DHCP Users groups in Active Directory, if not already present. Members of the DHCP Administrators group can administer the settings on all DHCP servers in the domain, while members of the DHCP Users group can view DHCP server configuration (often required for help desk staff to aid in providing network support)

dNS Server

To configure a Windows Server 2019 computer as a DNS server, you must install and configure the dNS Server role. Once installed, this server role functions as a caching-only DNS server that uses root hints and cached entries to respond to lookup requests on all network interfaces.

WINS Server

To configure a Windows Server 2019 computer as a WINS server, you must install and configure the WINS Server feature. After the WINS Server feature has been installed, you can click WINS from the Tools menu in Server Manager to start the WINS tool shown in Figure 8-31

Creating a Primary Reverse lookup Zone

To create a primary reverse lookup zone, right-click the Reverse Lookup Zones folder in Figure 8-3 and click New Zone to start the same New Zone Wizard used to create a primary forward lookup zone. When you click Next at the first page of the New Zone Wizard, you are prompted to select the zone type, as shown in Figure 8-4. If you choose to create an Active Directory-integrated primary zone and click Next, you are prompted to select Active Directory-integrated zone replication options, as shown in Figure 8-5. Following this, you are prompted to choose an IPv4 or IPv6 reverse lookup zone, as shown in Figure 8-9. After you click Next in Figure 8-9, you are prompted to specify either the associated network ID that can be used to generate the reverse lookup zone name, or the reverse lookup zone name itself. In Figure 8-10, the Network ID options was used to specify the 172.16.0.0/24 IPv4 network

Creating a New Scope

To create the scope shown in Figure 8-36, highlight IPv4 and select More Actions, New Scope from the Actions pane to start the New Scope Wizard. When you click Next at the welcome page of the New Scope Wizard, you are prompted to supply a name and optional description for your scope, as shown in Figure 8-37. After you click Next in Figure 8-37, you must specify the IP address range and subnet mask, as shown in Figure 8-38

Creating Stub Zones

Unlike primary and secondary zones, stub zones are not authoritative. Instead, they contain NS and host records that allow a DNS server to access an authoritative zone on another DNS server. To create a stub zone, right-click the Forward Lookup Zones folder shown earlier in Figure 8-3 and click New Zone to start the New Zone Wizard. When you click Next at the first page of the New Zone Wizard, you must select Stub zone as the zone type in Figure 8-4. If you choose to create an Active Directory-integrated stub zone and click Next, you are prompted to select Active Directory-integrated zone replication options, as shown in Figure 8-5.

Windows Internet Name Service (WINS)

Used to relay forward lookup requests for a NetBIOS name to a Windows Internet Name Service (WINS) server. The configuration of WINS is discussed later in this module.

Using nslookup

When troubleshooting most DNS-related problems, the first step typically involves testing forward lookups from a resolver using the nslookup command at a Command Prompt or Windows PowerShell window. The nslookup command can perform both forward and reverse lookups and will list the DNS server that is used to perform the lookup, as well as identify whether the result was authoritative (obtained from a zone file on the DNS server) or non-authoritative (obtained from the DNS server cache).

Configuring Primary Zones

You can create an unlimited number of primary forward and reverse lookup zones on a DNS server to hold resource records that are authoritative for a zone in the Domain Name Space. You can configure each zone to either: (1) allow for dynamic updates; or (2) require that resource records be manually created by the server administrator. If the DNS server is also a domain controller, you can also configure the zone file to be stored in Active Directory. After you create a primary lookup zone, you can access the properties of the zone to modify zone configuration.

replication partner

re their NetBIOS name records. In this case, each WINS server is called a replication partner and can resolve all of the NetBIOS names in the organization. To configure a replication partner for the WINS server in Figure 8-31, you can right-click the Replication Partners folder, click New Replication Partner, and supply the IP address of the other WINS server.