Computers that use the transmission control protocol/Internet Protocol (TCP/IP) to communicate have numerical addresses assigned to them. For most people its difficult to remember numerical addresses that look like 192.168.3.246 or fe80:326b:b19b:7487:6172:b572, so computers are also identified by a more human-friendly hostname. Each computer on a network including the Internet must have a unique name. The Domain Name System (DNS) was created to both ensure that no two hosts would have the same name and to map each hostname to a specific IP address. Understanding how to manage DNS is critical for ensuring smooth operations in a network that includes Windows Server 2008 and Windows Vista.

You may be experiencing a sense of having been here before, it’s not déjà vu, it’s the fact that an earlier chapter was also focused on DNS. In Configuring DNS for Active Directory you learned how to install the DNS server role and integrate it with Active Directory Directory Services (AD DS). That chapter was part of the preparation process for exam 70-640, this one is designed to help you prepare for exam 70-642. In order to save space and avoid repetition this chapter will only examine aspects of DNS not covered previously. Topics such as configuring DNS zones, replication, records, and root hints are explained in detail in Configuring DNS for Active Directory. If its been a while since you read it you may want to quickly review that chapter before you continue with this one. In this chapter you will learn about the following:

• Configure a Domain Name System (DNS) server.
• Configure name resolution for client computers.

Topics that are part of exam 70-642 but are covered in depth in Configuring DNS for Active Directory include:

• Configure DNS zones.
• Configure DNS records.
• Configure DNS replication.

Configuring a Domain Name System (DNS) server

DNS Server is one of the server roles available in Windows Server 2008. To perform the activities described in this chapter you will need a system running Windows Server 2008 with the DNS server role installed. If you do not already have one available in your practice lab review exercise 2 in Configuring DNS for Active Directory to see how to install the DNS server role. Management of the DNS server role can be performed using the graphical DNS Manager console or from a command prompt using dnscmd. This section will focus on using these tools to configure various aspects of the DNS server.

 Configuring Forwarding

A forwarder is a DNS server that sends DNS queries from clients on their own network for external hostnames to DNS servers outside of their network. Configuring forwarders was discussed in  Configuring DNS for Active Directory in the Configure Server Forwarding section. A conditional forwarder only forwards queries for specific domain names. Conditional forwarders can help to improve efficiency of name resolution and limit the number of DNS servers that have to connect to the Internet and other external networks. To configure a server to use a conditional forwarder in DNS Manager do the following:

1. Right-click on Conditional Forwarders in the navigation pane and click New Conditional Forwarder.
2. Enter the DNS zone name, e.g. kurtdillard.com, and click Click here to add an IP Address or DNS Name to enter the name or address of the external DNS server.
3. Optionally, enabled Store this conditional forwarder in Active Directory, and replicate it as follows and then specify the replication scope, as shown in figure 1.
4. If desired you can adjust the number of seconds before queries time out.
5. Click OK to finish.

Figure 1: Specifying a New Conditional Forwarder.

Important: You cannot configure a conditional forwarder for a zone if the server is already hosting a primary, secondary, or stub zone with the same name.

 Configuring Caching-Only DNS Servers

Caching-only servers, also known as forwarding only servers, pass client requests to other DNS servers and cache the responses to improve performance on future queries, but they do not host any DNS zones. Caching-only DNS servers are ideal for remote sites that have a slow network link where performing full zone transfers might consume all available bandwidth too frequently. Setting up a caching-only server is simple: install the DNS server role, configure one or more forwarders and conditional forwarders but do not host any zones on the server. To configure a forwarder using DNS Manager do the following:

1. Right-click on the server in the navigation pane and select Properties.
2. Click the Forwarders tab, as shown in figure 2.
3. Click Edit.
4. Enter the IP addresses or hostnames for one or more DNS servers in the IP addresses of forwarding servers box.
5. Select a DNS server and click Up or Down to change the order in which they are contacted.
6. Click OK when finished.

Figure 2: Configuring DNS Forwarders.

Integrating WINS and DNS

When a DNS server is unable to find a host name it can use Windows Internet Name Service (WINS) servers. This can be useful when you need to maintain support for applications that rely on WINS for name resolution, integrating DNS with WINS means that you do not have to manage records in both the DNS and WINS namespaces. As DNS searches for names in the DNS namespace WINS searches for names in the NetBIOS namespace. As mentioned in Configuring DNS for Active Directory Microsoft has been working towards retiring WINS however for the time being there are still applications and operating systems that rely on WINS for resolving NetBIOS names. Integration of WINS with DNS is enabled on each zone, to enable it using DNS Manager do the following:

1. Right-click on the desired zone in the navigation tree and click Properties.
2. Do one of the following:
   1. If it’s a forward lookup zone, click the WINS tab, enable the Use WINS forward lookup checkbox, and enter the IP address of the WINS server, click Add, and click OK, as shown in figure 3.

Figure 3: Configuring WINS Forward Lookup Integration.

2. If it’s a reverse lookup zone, click the WINS-R tab, enable the Use WINS-R lookup checkbox, enter the name in Domain to append to returned name, and click OK.
2. If appropriate enable the Do not replicate this record checkbox for the WINS record. You should do this when replicating the zone with DNS servers that do not recognize WINS or WINS-R resource records.

Diagnosing DNS Issues Using Command Prompt Tools

When clients on your network are having trouble resolving host names, DNS servers are not replicating properly, or other issues arise the first to check is whether or not the computers involved have basic network connectivity. Open the command prompt on one computer and use the ping utility by entering the following:

Where <ipaddress> is the IP address of the other computer. You should use the IP address because if you specify the host name then name resolution must take place but the first step is to verify that the computers can communicate with one another on the most basic level. Ping relies on the Internet Control Management Protocol (ICMP), if you have blocked ICMP on the client computers in your organization using IP filters, Windows Firewall with Advanced Security or some other technology then you will have to conduct this test on the client, that is, ping the DNS server from the client. If you have blocked ICMP on the servers you will have to temporarily enable it for this test to be useful. Pathping is another valuable tool, if basic network connectivity is failing enter pathping <ipaddress> to see where the traffic is being routed and at what point it fails to progress.

What you do next depends on the type of problem, ipconfig is useful to run on client computers when they are having problems registering themselves via Dynamic DNS, you can verify DDNS is working by entering the following at a command prompt:

You can also use ipconfig to verify that the client has a valid address configuration, entering the following command will display extensive information about the IP settings on each network adapter:

You can force DHCP clients to request a new lease from the DHCP server by entering

Nslookup is a more advanced troubleshooting tool. Enter nslookup at a command prompt, you can conduct many tests from the nslookup prompt. Start by entering a hostname to see if the client can resolve it. You can verify that reverse lookups are functioning by entering an IP address. You can force the client to send its query to a particular server by entering the target hostname or IP address followed by the hostname or IP address of the DNS server, like this:

You can change the default DNS server by entering server <dns_server_name_or_IPaddress>, this means that you can connect to DNS servers on remote networks to verify that they are resolving names properly..

You can also conduct effective troubleshooting within DNS Manager. The DNS Events log will record important events. You can also enable debug logging by right-clicking on the DNS server in the navigation pane, selecting Properties, clicking on the Debug Logging tab, and then configuring the options on that tab as you see fit. You should turn off debug logging when you are finished troubleshooting as it will impact performance, especially on busy servers. You can also conduct simple and recursive test queries from the Monitoring tab of the properties dialog box.

Configuring a Domain Name System (DNS) Client

We have spent a lot of time discussing DNS servers, but what point to the servers have if there are no clients submitting name resolution requests? While in many situations all you have to do on the client is configure it to receive the addresses of its DNS servers from the dynamic host configuration protocol (DHCP) server it is possible to customize the behavior DNS clients in several ways.

Configuring Client Settings

Getting to the network connection configuration settings involves more steps than recent versions of Windows. I like to set Control Panel to Classic View, which eliminates a mouse-click from many procedures. Open Network and Sharing Center, then click on Manage Network Connections, right-click on the desired network adapter, and select Properties. Select Internet Protocol Version 6 (TCP/IPv6) and click Properties. You can specify one or two DNS server addresses manually, as shown in figure 4 or configure the server to receive the addresses dynamically.

Figure 4: Configuring Internet Protocol Version 6 (TCP/IPv6) Properties.

Click on Advanced, then click the DNS tab. You use the Advanced TCP/IP Settings dialog box to specify more than two DNS servers, to change the order in which DNS servers are used, to configure DNS suffixes, and to enable or disable DDNS, as shown in figure 5.

Figure 5: Configuring Advanced TCP/IPv6 Settings.

Return to the network adapter properties dialog box, select Internet Protocol Version 4 (TCP/IPv4), and lick Properties. You can specify one or two DNS server addresses manually, as shown in figure 6 or configure the server to receive the addresses dynamically.

Figure 6: Configuring Internet Protocol Version 4 (TCP/IPv4) Properties.

Click on Advanced, then click the DNS tab. You use the Advanced TCP/IP Settings dialog box to specify more than two DNS servers, to change the order in which DNS servers are used, to configure DNS suffixes, and to enable or disable DDNS, as shown in figure 7.

Figure 7: Configuring Advanced TCP/IPv4 Settings.

Click on the WINS tab to configure the addresses of WINS servers on the client, to enable or disable LMHOSTS lookup, and to enable or disable NetBIOS, as shown in figure 8. LMHOSTS is discussed further in the next section. You can see that its possible to configure WINS integration at the client rather than the server if you prefer. Although its usually simpler to integrate WINS for each zone on the DNS servers it may not be possible to do so. For example, if the organization’s DNS servers do not support WINS integration yet some applications rely on NetBIOS and WINS for name resolution then you can configure the client computers to submit queries directly to the WINS servers.

Figure 8: Configuring WINS Settings.

 

Understanding NetBIOS Node Types

There are four types of NetBIOS nodes. The type of node determines how the client will resolve NetBIOS names. By default computers running Windows Server 2008 use B-node, they switch to H-node when they are configured to use a WINS server.

B-node – a broadcast node queries are broadcast for name registration and resolution. There are two problems with this: routers are usually configured to not forward broadcast traffic so name resolution will only work on the local subnet and broadcasts send traffic to every host on the subnet which can impact performance on large networks.

P-node – a peer-to-peer node uses a NetBIOS name server such as a WINS server to resolve names, it does not use broadcasts.

M-node – a mixed node combines B-node and P-node, when unable to resolve a name using a broadcast query it will query a NetBIOS name server.

H-node – a hybrid node is also a combination of B-node and P-node, but it first attempts to resolve by contacting a NetBIOS name server, only if that fails does it fall back to broadcasting queries.

 Managing Hosts and Lmhosts Files

A hosts file is a list of computer names mapped to IP addresses, sort of like a static version of DNS that has to be configured on each computer individually. Before DNS was used systems administrators on public networks would share hosts files with one another. Windows Server 2008 still supports the use of a hosts file, its located in %windir%\System32\drivers\hosts. Note the absence of a file extension. The sample hosts file included with Windows Server 2008 includes two entries for the name localhost, the IPv4 address 127.0.0.1 and the IPv6 address ::1. Another entry might look like this:

www.kurtdillard.com 69.17.116.190

An lmhosts file is similar, however it maps NetBIOS names to IP addresses and it supports many more options. Windows Server 2008 also supports the use of an lmhosts file, its located in %windir%\System32\drivers\lmhosts. Again, note the lack of a file extension. The sample is in the same folder, its called lmhosts.sam, and it includes detailed information about the format of the various kinds of entries such as #PRE, #DOM, and #BEGIN_ALTNERNATE. While manually managing hosts and lmhosts files isn’t feasible for a large number of systems, it can be useful in a few situations, for example, if you want users to be able to specify a hostname for an external server that the owners of the server have not configured.

Configuring Link-Local Multicast Name Resolution

Link-Local Multicast Name Resolution (LLMNR) resolves single label names on the local subnet when DNS name resolution is unable to identify the host. This is useful when working in an ad-hoc network or when the DNS server does not include records for hosts on the local subnet. Windows will enable or disable LLMNR automatically based on the network location. By default LLMNR is disabled when connected to the domain or public networks and enabled for private networks. You can enable and disable LLMNR manually using Network and Sharing Center in Control Panel. Click on the down arrow to the right of Network Discovery, click on Turn on network discovery, and click Apply, as shown in figure 9.

Figure 9: Managing Link-Local Multicast Name Resolution

You can also disable LLMNR using group policy by enabling the following setting: Computer Configuration\Administrative Templates\Network\DNS Client\Turn off Multicast Name Resolution.

Managing the DNS Resolver Cache

Windows Server 2008 reduces DNS name resolution by caching information from previous queries for 24 hours. The cache is created and maintained by the DNS resolver cache, a component of the DNS Client service. To see what is stored in the client’s DNS resolver cache open a command prompt and enter ipconfig /displaydns. If you suspect that the cache is inaccurate or corrupt you can enter ipconfig /flushdns to empty the cache and force the client to submit new queries when resolving host names. I am unable to think of a reason why you would ever want to adjust the time-to-live for cached records, if you wish to specify the value, in seconds, for the MaxCacheEntryTtlLimit registry entry located at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNSCache\Parameters.

Using Group Policy to Managing DNS Client Settings

A dozen DNS client settings can be configured through group policy. The group policy path for all of them is Computer Configuration\Administrative Templates\Network\DNS Client, as shown in figure 10. Note that several of the settings visible in the group policy editor do not apply to Windows Vista.

Figure 10: Configuring DNS Client Settings With Group Policy

The impact of each DNS client setting is described in the following list:

• Allow DNS Suffix Appending to Unqualified Multi-Label Name Queries – When a query fails this setting determines whether the computer may attach suffixes to an unqualified multi-label name before sending subsequent ones.
• DNS Suffix Search List – Configure this setting to specify the DNS suffixes that are attached to unqualified single-label names before queries are submitted.
• Dynamic Update – Configure this setting to control whether or not the client will register and update their DNS records.
• Primary DNS Suffix – This setting specifies the primary DNS suffix for the computer.
• Primary DNS Suffix Devolution – This setting determines whether or not the client will undertake primary DNS suffix devolution while resolving names.
• Register DNS records with connection-specific DNS suffix – Configure this setting to allow the client to register DNS records unique to each network connection.
• Register PTR Records – Configure this setting to control whether the client registers PTR records.
• Registration Refresh Interval – This setting determines how long before the client attempts to refresh it’s A and PTR resource record registrations.
• TTL Set in the A and PTR records – This setting specifies the time-to-live field in resource records that the client registers.
• Turn off Multicast Name Resolution – This setting controls whether the client uses LLMNR queries to the local subnet.
• Update Security Level – This setting determines whether the client will secure dynamic updates, unsecure dynamic updates, or both.
• Update Top Level Domain Zones – Determines whether or not the client will send dynamic updates to zones with a single label name such as .test.

 Summary

This chapter presented information about configuring both DNS servers and DNS clients. A lot of detailed information about installing and managing AD DS integrated DNS servers was presented in chapter 15, Configuring DNS for Active Directory, this chapter introduced aspects of DNS not previously covered. This made for a relatively short chapter, although after reading this far into the book you might be thankful for that!

Chapter Review

This section presents a list of review questions designed to help reinforce the knowledge presented earlier in the chapter. To persuade you to explore the management tools more deeply a few questions may require you to examine those tools further rather than rereading the chapter.

Questions

1. Your AD DS forest includes one domain and two domain controllers (DCs) running AD-integrated DNS. The first DC is configured with two zones: kurtdillard.com and 3.168.192.in-addr.arpa. The second is configured with three zones: kurtdillard.com, 3.168.192.in-addr.arpa, and .(root). Clients on the network are configured to use the second DC as their primary DNS server and the first as their secondary. Clients are unable to resolve names for any hosts located outside of the network, what should you do to resolve this issue?
   1. Copy the zone named .(root) to the first DC.
   2. Copy the root hints from a reliable DNS server.
   3. Delete the zone named .(root).
   4. Configure forwarders on both DCs.
2. Your large company uses a specific firm for ordering all office supplies. Users are able to visit the office supply firm’s website to place their orders online. What could you do to improve name resolution performance for users that utilize the office supply website?
   1. Host a secondary zone for the office supply firm’s DNS domain.
   2. Configure a conditional forwarder for the office supply firm’s DNS domain that points to their DNS server.
   3. Reconfigure forwarding so that all external queries are forwarded to the office supply firm’s DNS server.
   4. Host a stub zone for the office supply firm’s DNS domain.
3. How do you configure a caching-only DNS server?
   1. Install the server but do not add any zones, configure the IP addresses of one or more DNS forwarders.
   2. Install the server as an AD-DS integrated DNS server, enable forwarding, then configure the IP addresses of one or more DNS forwarders.
   3. Delete the root hints from the server.
   4. Enter the following command at a command prompt: dnscmd /config /norecursion.
4. How do you configure WINS and DNS integration on servers?
   1. By modifying the properties of the appropriate DNS zones.
   2. By modifying the properties of the DNS servers.
   3. By modifying the properties of the WINS servers.
   4. By configuring the appropriate group policy settings in a group policy object that is applied to the DNS servers.
5. Which of the following tools present information about the route to a remote host?
   1. Ping.
   2. Ipconfig.
   3. Nslookup.
   4. Pathping.
6. How many of the following are methods that can be used by clients to resolve NetBIOS names?

·   LMHOSTS lookup.

·   Broadcast queries.

·   Link-Local Multicast Name Resolution.

·   HOSTS file.

·   WINS server query.

·   DNS query .

·   NetBIOS name cache.

·   DNS name cache.

1. 4
2. 5
3. 6
4. 7
5. 8
6. Which type of NetBIOS node first tries to resolve a NetBIOS name by querying a name server and only if that fails does it resort to broadcasts.
   1. H-node.
   2. M-node.
   3. P-node.
   4. B-node.
7. Host names for DHCP clients are not being registered via DDNS in your Active Directory domain, what tools should you use to verify that DDNS is enabled in a manner that minimizes administrative overhead? (pick 2)
   1. DNS Manager.
   2. Ipconfig.
   3. WINS Manager.
   4. DHCP Manager.
   5. Network Connections.

 Answers

1. The correct answer is C. The presence of a zone named .(root) means that the DNS server will behave as a root server and it will not forward queries. When this root zone is present the Root Hints and Forwarder tabs of the DNS server’s Properties dialog box become disabled. This situation usually arises when the server is unable to contact the root servers during the execution of the Active Directory Installation Wizard, the .(root) zone is added automatically when this occurs. This may seem like a terribly obscure bit of trivia, but I was sorely confused the first time I ran into this issue while setting up a demo lab a couple of years ago.
2.  B is correct, conditional forwarders are ideal for this type of situation. Hosting zones locally for the office supply firm’s DNS domain would be inappropriate because their DNS servers would have to be configured to allow yours to pull zone transfers and your DNS servers would store information about all of their hosts, not just the servers that host their website. Configuring their DNS server for forwarding is a bad idea because then queries about hosts that are not part of the office supply firm’s DNS domain would take longer to resolve if they would work at all.
3. A is correct, caching-only servers are the simplest to configure.
4. A is correct, WINS integration is configured on a per zone basis. There are no WINS integration options available for the DNS server properties, nor are there any DNS integration options available for the WINS server properties. Only DNS client settings are available in group policy, there are no DNS server configuration settings.
5. D is correct, pathping can show information about the route and the routers used to send traffic to another computer. Ping can only verify basic network connectivity between hosts. Ipconfig is used to view and manage IP address settings. Nslookup is a tool for troubleshooting name resolution problems. Tracert is an older tool similar to pathping, its still available in Windows Server 2008 however I think pathping is much more interesting.
6. The correct answer is D. All except LLMNR may be part of the name resolution process for NetBIOS names, which are used depends upon the computer’s configuration. A computer running Windows configured as an H-node will try to resolve a NetBIOS name in the following order:
   1. Check to see if it is the local machine name
   2. NetBIOS name cache
   3. WINS server
   4. B-node broadcast
   5. LMHOSTS file
   6. HOSTS file
   7. DNS server
7. The correct answer is A, an H-node is a hybrid node that combines the behavior of B-nodes and P-nodes as described. This is the default type of node for Windows clients that are configured with the address of a WINS server.
8. A and D are correct, you need to ensure that that the DNS zone which applies to the clients are configured to allow DDNS updates and you need to configure the relevant DHCP scopes to use DDNS. Admittedly, you can manage the client’s DDNS behavior on the individual client by adjusting the IPv4 or IPv6 properties for the network adapter however the default behavior for Windows Vista when using DHCP is to use DDNS, I think checking the server configuration first makes more sense. You are likely to run into these sorts of questions where several  answers may solve the problem however you need to pick the best one. Read the question carefully to figure out what ‘best’ means in the context of the question.

References

Microsoft's DNS Server page.

TCP/IP Host Name Resolution.

NetBIOS Name Resolution.

The Cable Guy – November 2006: Link-Local Multicast Name Resolution.