Windows Server 2003

DNS 安裝設定與管理維護

林寶森
jeffl@ms11.hinet.net
What Is a Domain Namespace?
Root Domain

Top-Level Domain net com org

Second-Level Domain nwtraders

Subdomains west south east

FQDN: sales Host: server1

server1.sales.south.nwtraders.com
Overview of the DNS Query Process
Query
QueryTypes
Types
The
TheDNS
DNSserver
serverreturns
returnsthe
thebest
bestanswer
answerthat
thatititcan
can
Iterative
IterativeQuery
Query provide
providewithout
withouthelp
helpfrom
fromother
otherservers
servers

The
TheDNS
DNSserver
serverreturns
returnsaacomplete
completeanswer
answertotothe
the
Recursive
RecursiveQuery
Query query,
query,not
notaapointer
pointertotoanother
anotherDNS
DNSserver
server

Lookup
LookupTypes
Types

Forward
ForwardLookup
Lookup Requires
Requiresname-to-address
name-to-addressresolution
resolution

Reverse
ReverseLookup
Lookup Requires
Requiresaddress-to-name
address-to-nameresolution
resolution
How Recursive Queries Work
A recursive query is a query made to a DNS server, in which the DNS client
asks the DNS server to provide a complete answer to the query

DNS server checks the forward lookup zone

and cache for an answer to the query

Recursive query for

mail1.nwtraders.com

172.16.64.11 Database

Computer1 Local DNS Server

How Iterative Queries Work
An iterative query is a query made to a DNS server in which the DNS client
requests the best answer that the DNS server can provide without seeking further
help from other DNS servers. The result of an iterative query is often a referral to
another DNS server lower in the DNS tree
Iterative Query
Local Ask .com Root Hint (.)
DNS Server
Iterative
Query
ders or
.com

Ask nw
wtra query f

traders .com
.com
mai ursive

Itera
1
64.1

tive
Auth Que
l1.n

orita ry
.16.
Rec

tive R
espo
172

nse

Computer1 nwtraders.com
How Root Hint Works
Root hints are DNS resource records stored on a DNS server that list the
IP addresses for the DNS root servers

Corp. or ISP InterNIC

DNS Servers Root (.) Servers

Root Hints

Local com
DNS Server

Computer1 microsoft
How Forwarders Work
A forwarder is a DNS server designated by other internal DNS servers to forward
queries for resolving external or offsite DNS domain names

Iterative Query
Forwarder Root Hint (.)
Ask .com
Iterative
Q uery
ry
ue

Ask nw .com
eQ

traders
.11

.com
siv

.64
cur

Itera
.16

tive
Re

Que
172

Auth ry
orita
172.1 tive R
6.
64.11 espo
Recu nse
r
mail1 sive query
.nwtr
aders for nwtraders.com
Local .com
Computer1
DNS Server
What Is a DNS Zone?
Nwtraders

South West North

Sales Support Training

What Are DNS Zone Types?
Zones Description
Read/Write
Read/write copy of a DNS database
Primary

Read-Only
Read-only copy of a DNS database
Secondary

Copy of
limited Copy of a zone containing limited records
records
Stub
Selecting Zone Data Location
Standard Zones
Change
Zone Transfer

Primary Zone Secondary Zone

Active Directory Integrated Zones

Zone Transfer

Change Change Change

Configuring Standard Zones
• You can configure a DNS server to host standard primary zones,
standard secondary zones, or any combination of zones
• You can designate a primary server or a secondary server as a
master server for a standard secondary zone

DNS Server A A Primary Zone

Zone
Information
DNS Server B DNS Server C

Secondary Zone Secondary Zone

B (Master DNS Server = (Master DNS Server = C
DNS Server A) DNS Server A)
What Are Resource Records and Record Types?

Record type Description

A Resolves a host name to an IP address
PTR Resolves an IP address to a host name
SOA The first record in any zone file
SRV Resolves names of servers providing services
NS Identifies the DNS server for each zone
MX The mail server
CNAME Resolves from a host name to a host name
Zone Transfer Process
A Zone Transfer is Initiated When
– A master DNS server sends notification of zone changes to
the secondary server or servers
– The secondary server queries a master DNS server for
changes to the zone file

DNS DNS
Server Server
(Master)

Primary Zone nwtraders Secondary Zone

Database File Database File

support training

Zone 1
Configuring Zone Transfers
• Zone Transfer Types
– Full zone transfer (AXFR)
– Incremental zone transfer (IXFR)
• Configuring Zone Transfer Properties
Serial number:
2 Increment
Refresh interval: 15 minutes
Retry interval: 10 minutes
Expires after: 1 days
Minimum (default) TTL: 0 :1 :0 :0

• Configuring DNS Notify

Configuring Zone Transfers
nwtraders.msft Properties
WINS Zone Transfers Security
nwtraders.msft Properties
General Start of Authority (SOA) Name Servers
General Start of Authority (SOA) Name Servers
Serial number: Zone Transfers
WINS Security
28 Increment
A zone transfer sends a copy of the zone to requesting
servers.
Primary server:
Allow zone transfers
london.contoso.com Browse…
To any server
Responsible person:
Only to servers listed on the Name Servers tab
admin.contoso.com Browse…
Only to the following servers
Refresh interval: 15 minutes IP address:
Retry interval: 10 minutes A
Adddd
Expires after: 1 days R
Remove
emove
Minimum [default] TTL: 0 :1 :0 :0

To specify secondary servers to be notified of zone

TTL for this record: 0 :1 :0 :0 updates, click Notify.

Notify…
OK Cancel Apply

OK Cancel A
Apply
pply
How DNS Notify Works
A DNS notify is an update to the original DNS protocol specification that
permits notification to secondary servers when zone changes occur

Resource record is
Destination Server 1 updated Source Server
SOA serial number is
2 updated

3 DNS notify

4 Zone transfer

Secondary Server Primary and

Master Server
Configuring AD Integrated Zones
• Active Directory Integrated Zone Data Is
– Stored as an Active Directory object
– Replicated as part of domain replication
Active Directory
Integrated Zone

Active
Active Directory
Directory
contoso.com

DNS Server
What Are Directory Partitions?
Contains:
Definitions and rules for creating
and manipulating objects and
attributes
Forest Schema
Information about the Active
Directory structure
Configuration
Information about domain-specific
Domain objects
<Domain>
Configurable
replication Information about applications
<Application>

Active Directory Database

 Selecting a Partition

Forest Application
Domain
Application
Domain Partition
Configuring Dynamic Updates
• DNS Dynamic Update Protocol
– Allows clients to automatically update DNS servers
– Can be used in conjunction with DHCP

1 Request
Requestfor
forIPIPaddress
address
DHCP
Server

Assign 2
AssignIPIPaddress
address
ofof192.168.120.133
192.168.120.133 DHCP
DHCPupdates
updatesreverse
reverse
Windows
Windowsclient
client resource
resourcerecord
recordfor
for
updates
updatesforward
forward Windows
Windows2000,
2000,XP
XPandand
resource
resourcerecord
record 2003
2003clients
clientsand
andboth
both
on
onDNS
DNSserver
server resource
resourcerecords
recordsfor
for
Computer1
other
otherclients
clients
192.168.120.133

DNS Server Zone Database

Securing Dynamic Updates
nwtraders.msft. Properties
WINS Zone Transfers Security
General Start of Authority (SOA) Name Servers

Status: Running Pause

Active
Active Directory
Directory Type: Active Directory-integrated Change…
Integrated
Integrated Zone
Zone
Data is stored in Active Directory.

Allow dynamic updates? Only secure updates

Secure
Secure
Dynamic
Dynamic Updates
Updates
To set aging/scavenging properties, Aging…
click Aging

OK Cancel Apply
Creating a Subdomain
• Create a Subdomain to Better Organize Your Namespace
• Delegate Authority of a Subdomain To
– Delegate management of portions of the namespace
– Delegate administrative tasks of maintaining one large DNS
database
“.”

org. com.
com. edu. tw.

microsoft.com.

training.microsoft.com.

Subdomain Second-Level Domain Top-Level Domain Root

DNS Server Roles
Role Situation

Caching-only servers A remote office has a limited amount of available bandwidth

Non-recursive You have Internet-facing DNS that are authoritative for one or
servers more zones

You want to manage the DNS traffic between your network and
Forward-only servers
the Internet

You want DNS clients in separate networks to resolve each

Conditional
others’ names without having to query the DNS server on the
forwarders
Internet
How the Time-to-Live Value Works
The Time-to-Live (TTL) value is a time-out value expressed in seconds that is
included with DNS records that are returned in a DNS query 

Resource Record Resource Record

Cache Cache Zone

Authoritative
DNS Client DNS Server1 DNS Server2 TTL set
on the zone

The records in the zone are sent to other DNS servers and clients in
1 response to queries
DNS servers and DNS clients that store the record in their cache hold
2 the record for the TTL period supplied in the record

3 When the TTL expires, the record is removed from the cache
Reducing Network Traffic by Using
Caching-Only Servers
Caching-Only Servers
– Perform name resolution on behalf of client computers and
cache the results
– Can be used to reduce DNS-related traffic across a WAN

Remote Office

Caching-Only Slow WAN Link

Client DNS Server
DNS Server
Client

Corporate Headquarters
Client
How Aging and Scavenging Works

7-days 7-days

Jan 1 Jan 8 Jan 15

Time No-Refresh Refresh

interval interval Scavenge
stamped

Aging
What Is DNS Debug Logging?
DNS debug logging is an optional logging tool for DNS that stores the
DNS information that you select
Primary DNS Server1

Secondary DNS Server2

Planning a DNS Implementation
• Small Companies
– Can use ISP DNS servers for queries and to
store company domain names
• Larger Companies
– Maintain their own DNS servers
• Two DNS Servers Recommended
– Primary name server
– Secondary name server
DNS Namespace Options
Same Delegated Unique
Namespace Namespace Namespace

Existing DNS Existing DNS Existing DNS

Namespace Namespace Namespace

nwtraders.com nwtraders.com nwtraders.com

Internal Internal Internal

Namespace Namespace Namespace

nwtraders.com ad.nwtraders.com nwtraders.local

Connecting DNS to the Internet

Internal External
DNS Server Firewall
DNS Server
Internet

Screened
Subnet
Firewall

 Forwarding DNS Queries to Internet DNS Servers

 Responding to DNS Queries from the Internet Internet
DNS Server
Integrating DNS into Screened Subnets
public.contoso.msft public.contoso.msft
Primary DNS Zone Secondary DNS Zone

Firewall

Internet
Private
Network Screened
Firewall Subnet

 Zones Contain Records for Public Resources

 Configure Firewalls to Permit Appropriate DNS Traffic
 Place Only Secondary Zones
 Encrypt Replication Traffic with IPSec