Take for example, pcrepairnorthshore.com. Imagine pcrepairnorthshore.com is divided into two zones. The first zone hosts www.pcrepairnorthshore.com and ftp.pcrepairnorthshore.com. Let’s pretend we have a site called offsite.pcrepairnorthshore.com.
We delegate it to a new zone that hosts the offsite.pcrepairnorthshore.com
and its subdomains ftp.offsite.pcrepairnorthshore.com
and www.offsite.pcrepairnorthshore.com.
DNS Zone Types
Forward and Reverse Lookup Zones
Demo – Steps to create a Forward Lookup Zone
Demo – Steps to create a Forward Lookup Zone from the command prompt
Demo – Steps to create a Reverse Lookup Zone
Go to DNS Manager and expand the reverse lookup zone you
just created and verify the SOA and NS resource records.
DNS Zone Delegation
Configure DNS Zone Transfers
How does DNS Notify Work?
Steps to configure Zone Transfers and Secondary Zones
DNS Zone Types
Zones
|
Description
|
Primary
|
A primary zone is a read/write copy and the primary source of information about the zone. The zone data is stored in a local file or in Active Directory Domain Services. The local file
name is stored in the %windir%\System32\DNS
folder and the default file name is zone_name.dns.
|
Secondary
|
A secondary zone is a read-only copy and a secondary source of information about the
zone. It must have network access to the remote DNS server supplying it
with updated data. The secondary zone cannot be stored in Active Directory
because it is only a copy of the primary zone hosted on another DNS server.
|
Stub
|
A stub zone is a copy of a zone containing only the records used to locate the name
servers that are authoritative for the zone on a remote DNS server. A stub zone contains resource records of authoritative zone servers. This DNS
server must have network access to the remote DNS server in order to copy the
name server information. Stub zones enable a DNS server to perform recursion
on the stub zone’s list of name servers, thus avoiding querying the Internet
or internal root server.
|
Active Directory integrated
|
An Active Directory integrated zone is stored in Active Directory instead of a flat zone file
|
Forward and Reverse Lookup Zones
·
Forward
Lookup zones. Resolve host names to IP addresses and hosts common resource
records such as:
o
A
o
CNAMES
o
SRV
o
MX
o SOA
o
NS
·
Reverse
Lookup zones. Most DNS lookups are done with a forward lookup that resolve a host names to an IP address.
DNS also allows for a reverse lookup where the client uses an IP address to lookup a
computer name. In order to do this, a
special domain, the in-addr.arpa
domain, was defined and reserved in the Internet DNS namespace to provide a
reverse ordering of the numbers in the dotted-decimal notation of IP address.
The reason for this is because a forward lookup would take too long.
The reverse ordering of the IP address is
necessary because the IP addresses are read from left to right and the IP host
address is contained in the last octets.
A reverse lookup hosts these resource
records:
o
SOA
o
NS
o
PTR. The PTR resource records map the reverse
lookup zone to a named host A record in the forward lookup zone.
How does a reverse query work (IPv4 networks)?
Determine the DNS name for
192.168.1.10:
·
The client queries the DNS server for a PTR
resource record that maps to 192.168.1.10. Since the query is for a PTR record,
the resolver reverses the address and appends the in-addr.arpa domain on the end of the reverse address to form the
FQDN (fully qualified domain name:
o
10.1.168.192.in-addr.arpa
·
When the authoritative DNS server for
10.1.168.192.in-addr.arpa is located, the server responds with the PTR resource
record information that includes the DNS domain name for the host.
Demo – Steps to create a Forward Lookup Zone
1.
Start | Administrative Tools | DNS
2. Click
on the server name
3. Highlight
Forward Lookup Zones
and right-click
4. Click
New Zone and
the New Zone
Wizard begins
5.
Next
6. Select
the Zone Type.
We will select Primary
zone and check the Store the zone in
Active Directory (available only if
DNS server is a writable domain controller) box.
7.
Next
8.
In the Active Directory Zone Replication Scope dialog
box, select To all
DNS servers in this domain:
9.
Next
10. Type
in the Zone Name
11.
Next
12. For
the Dynamic
Update dialog box, choose Allow only secure dynamic updates (recommended for Active
Directory). Option is available only for Active Directory-integrated zones.
13.
Next
14.
Finish
Go to DNS Manager
and expand the zone you just created and verify it by checking the SOA and NS
resource records.
Demo – Steps to create a Forward Lookup Zone from the command prompt
In this example, the server name will be svr-1 and the zone
name will be OffsiteOffice.
1.
Start | cmd
2.
dnscmd svr-1 /zoneadd
OffisiteOffice /dsprimary
3. Return
4. You
should receive a Command completed successfully
message.
Go to DNS Manager and expanded the zone you just created
and verify the SOA and NS resource records. Right click the OffsiteOffice zone and click Properties to see
the status of the zone as Running and Type as Active Directory Integrated.
Demo – Steps to create a Reverse Lookup Zone
·
Start | Administrative Tools |DNS
·
Click on the server name
·
Highlight Reverse Lookup Zones and right-click
·
Click New Zone and the New Zone Wizard begins
·
Next
·
Select the Zone Type. We will select Primary zone and
check the Store the zone in Active Directory (available only if DNS server is a
writable domain controller) box.
·
Next
·
In the Active Directory Zone Replication Scope dialog
box, select To all
DNS servers in this domain:
·
Next
·
In the Reverse Lookup Zone Name dialog box, select IPv4 Reverse Lookup Zone.
·
Next
·
In the Reverse Lookup Zone Name dialog box, type in the network id. We
will use 10.10.0. You will see in the box below this, the network id translates
to 0.10.10.in-addr-arpa.
·
Next
·
For the Dynamic Update dialog box, choose Allow only secure dynamic
updates (recommended for Active Directory). Option is available only for Active
Directory-integrated zones.
·
Next
·
On the Completing the New Zone Wizard, you will see
the Name,
Type, and Lookup Type.
Name: 0.10.10.in-addr.arpa
Type: Active Directory-Integrated
Primary
Lookup type: Reverse
·
Finish
Go to DNS Manager and expand the reverse lookup zone you
just created and verify the SOA and NS resource records.
DNS Zone Delegation
DNS is a hierarchical system. When you have zone delegation, it
points to the next hierarchical level down.
When you divide up your DNS namespace into one or more
zones, sometimes you may need to delegate a zone to be managed by another part
of the namespace.
For instance, you may want to delegate a zone to be managed by another location or department in your organization, or to distribute traffic loads to get better performance, or for fault tolerance.
For instance, you may want to delegate a zone to be managed by another location or department in your organization, or to distribute traffic loads to get better performance, or for fault tolerance.
Each new zone created needs delegation records pointing to
the authoritative DNS servers for the new zone.
The resource records included are:
o NS. The authoritative server for the
delegated subdomain.
o A host (A or AAAA) resource record (glue
record) to resolve the name of the server to its IP address specified in
the NS resource record. This is sometimes called glue chasing.
Configure DNS Zone Transfers
Zone Transfers
are how DNS moves DNS zone information from one server to another.
DNS synchronizes
primary and secondary DNS server zones by using zone transfers. Primary and
secondary zones must be synchronized
because discrepancies can cause service outages and host names that resolve
incorrectly.
It is best to have DNS servers close to the organization to
efficiently resolve DNS names. The organization needs to resolve the names of
computers and devices that are local to them, as well as resolving names across
the entire organization. This is done by transferring data from the master DNS
server to a secondary DNS server.
Reload
or Transfer a Stub Zone – Make sure the resource records of a stub zone are
up to date, in case the sever that host the zone is offline.
Adjust
the Refresh Interval for a Zone – How often to renew the zone. The default
is 15 minutes.
Adjust
the Retry Interval for a Zone – How often to retry a request for update of
the zone when a refresh interval occurs. The default is 10 minutes.
How does DNS Notify Work?
DNS Notify
permits notification to secondary servers when zone changes occur. This is
useful in time-sensitive environments where data accuracy is important. When a
zone has been updated the master SOA serial number is updated to indicate a new
version of the zone exists and sends a notify message to the secondary servers in the
master server’s notify list. The secondary server initiates a SOA-type query
back to the master to see if the zone on the master is a later version. If the
notified secondary server sees the SOA record is a later version, the secondary
server requests an AXFR (all zone transfer) or IXFR (incremental) zone transfer.
S ecuring Zone Transfers
It is important to secure zone records because the zone
records contain resource records about hosts and servers, and you need to
prevent zone data from being overwritten by malicious processes. This is known
as DNS poisoning.
In Windows Server 2008, zone transfers are disabled, by
default.
You should restrict the zone transfer traffic to specific servers.
This is especially important in the case of Internet-facing DNS servers.
Zone transfer traffic can be encrypted by using a VPN or IPSEC. The
best way is to use Active Directory-integrated zones so it can be replicated
securely as part of the normal Active Directory replication processes.
Steps to configure Zone Transfers and Secondary Zones
In this example, the DNS server name is dnssvr-1 and the
domain name is pcrepairnorthshore.com.
We will configure a secondary zone for pcrepairnorthshore.com
dns domain on dnssvr-2.
1.
Start | Administrative Tools | DNS
2. Right
click DNS in
the console and click on Connect
to DNS Server…
3. The
Connect to DNS Server
dialog box appears. Type in the DNS server name you want to connect to. In this
case, we will use dnssvr-2.
4. Enter.
5. You
will now be connected to dnssvr-2 and will see it in the console.
6. Under
dnssvr-2, right click Forward
Lookup Zones.
7. Click
New Zone and
the New Zone
Wizard begins
8.
Next
9.
Select the Zone Type. We will select Secondary zone
10.
Next
11. In
the Zone Name dialog
box, type in the Zone name
pcrepairnorthshore2.com
(example).
12.
Next
13. In
the Master DNS Servers dialog
box, type in the IP Address or DNS NAME for the Master Server. We will use
10.10.0.10. You will see in the line below this, the IP Address will resolve to
dnssvr-1.pcrepairnorthshore.com(this is the master dns server in our example)
14.
Next
15.
Finish
Now, we go to dnssvr-1 master server and configure zone
transfers to dnssvr-2 secondary server.
1. Highlight
dnssvr-1 in
the console.
2. Under
dnssvr-1, right click Forward
Lookup Zones.
3. Select
pcrepairnorthshore.com
zone(we will use for this example)
4. Right
click pcrepairnorthshore.com
and select Properties.
5. Go
to the Zone Transfers
tab.
6. Check
the Allow zone transfers
box. In this case select Only
to the following servers.
7. Select
the Edit button and Click here to add an IP Address of
DNS Name
8. Enter
10.10.0.24
for dns-svr2 (example).
9. You
will see in the line that appears below the entry, it should validate dns-svr2
10.
OK
11. Now
select the Notify
box to notify dnssvr-2 when there have been changes to the forward lookup zone
at pcrepairnorthshore.com
12.
Click
here to add an IP Address of DNS Name
13. Enter
10.10.0.24
for dns-svr2 (example).
14.
Apply
15.
Finish
Question: You have an Active Directory domain controller named DC1 running the Server Core installation of Windows Server 2008 R2. You want to convert a secondary zone that is configured on the domain controller to an Active Directory Integrated zone. What is the first thing you do?
Answer: You have to first convert the zone to a primary zone before you convert it to an Active Directory Integrated zone . Execute the following command ->
dnscmd DC1 pcrepairnorthshore.com /ZoneResetType /Primary
After you convert the zone to a primary zone, execute the following command ->
dnscmd DC1 pcrepairnorthshore.com /ZoneResetType /DSPrimary
No comments:
Post a Comment
"Comment As:" anonymous if you would rather not sign into an account!