Windows Server 2008 R2 Unleashed (58 page)

compliant DNS implementations.

. Secure DNS with DNSSEC

IPv6 is rapidly gaining traction in the IT world and is an

integral feature of the Windows Server 2008 R2 operating

system. Windows Server 2008 R2 supports IPv4 fully in

roles such as DNS, Dynamic Host Configuration Protocol

(DHCP), and Internet Information Services (IIS). Windows

Server 2008 R2 even includes additional features such as the

GlobalNames zone to support single-label names with IPv6.

This chapter details the key components of DNS in general

and provides an overview of Windows Server 2008 R2’s

specific implementation of DNS. A particular emphasis is

placed on the role of DNS in Active Directory Domain

Services and the way it fits in standard and nonstandard

configurations. Step-by-step instructions outline how to

install and configure specific DNS components on Windows

Server 2008 R2. In addition, troubleshooting DNS issues

260

CHAPTER 10

Domain Name System and IPv6

and specific Active Directory design scenarios helps to give a hands-on approach to your

understanding of DNS.

Understanding the Need for DNS

Computers and humans conceptualize in drastically different ways. In terms of under-

standing locations, humans are much better at grasping the concept of names rather than

numbers. For example, most people think of cities by their names, not by their ZIP codes.

Computers, however, work in binary, and subsequently prefer to work with numbers. For

example, computers at the post office translate the city and address names into specific

ZIP codes for that region, helping each letter reach its destination.

Name resolution for computer systems works in a similar way. A user-friendly name is

translated into a computer-identifiable number. TCP/IP uses a number scheme that

uniquely identifies each computer interface on a network by a series of numbers, such as

10.1.2.145, known as an IP address. Because most humans are not interested in memoriz-

ing several of these types of numbers, they must be easily resolvable into user-friendly

names such as www.microsoft.com.

DNS, in its simplest form, provides for name resolution in a distributed fashion, with each

ptg

server or set of servers controlling a specified zone and with entries for each resource

called resource records (RRs) that indicate the location of a particular object.

A good analogy for DNS can be found in telephone books. Each city or metropolitan area

(namespace) publishes a separate phone book (zone) that contains many listings (resource

records) that map people’s names to their phone numbers (IP addresses). This simple

example illustrates the basic principle behind DNS. When you understand these basics,

further drilling down into the specifics, especially with regard to Windows Server 2008

R2’s DNS, is possible.

Detailing the History of DNS

The Internet, as originally implemented, utilized a simple text file called a HOSTS file that

contained a simple list of all servers on the Internet and their corresponding IP addresses.

This file was copied manually from the master server to multiple secondary HOSTS

servers. As more and more servers were added to the Internet, however, updating this file

became unmanageable, and a new system became necessary.

In 1983, in direct response to this problem, the RFCs for the DNS were drawn up, and this

form of name resolution was implemented on a large scale across the Internet. Instead of a

small number of static HOSTS files, DNS servers formed a hierarchical method of name

resolution, in which servers resolved only a certain segment of hosts on the Internet and

delegated requests that it did not manage. This allowed the number of records held in

DNS to scale enormously, without a subsequently large performance decrease.

Microsoft developed its own implementation of DNS in Windows NT 4.0, which was

based on the RFC standards on which DNS was founded. With the introduction of

Windows 2000, Microsoft adopted DNS as the principle name-resolution strategy for

Understanding the Need for DNS

261

Microsoft products. Older, legacy name-resolution systems such as Windows Internet

Naming Service (WINS) are slowly being phased out. Since that time, the DNS implemen-

tation used by Microsoft has evolved to include a number of key benefits that distinguish

it from standard DNS implementations—for example, UNIX BIND. To understand these

improvements, however, you first need a basic understanding of DNS functionality.

Establishing a Framework for DNS

DNS structure is closely tied to the structure of the Internet and often is confused with the

Internet itself. The structure of DNS is highly useful, and the fact that it has thrived for so

long is a tribute to its functionality. A closer examination of what constitutes DNS and

how it is logically structured is important in understanding the bigger picture of how DNS

fits into Windows Server 2008 R2.

Explaining the DNS Hierarchy

DNS uses a hierarchical approach to name resolution in which resolution is passed up and

down a hierarchy of domain names until a particular computer is located. Each level of

the hierarchy is divided by dots (.), which symbolize the division. A fully qualified domain

name (FQDN), such as server1.sales.companyabc.com, uniquely identifies a resource’s

space in the DNS hierarchy. Figure 10.1 shows how the fictional CompanyABC fits into

the DNS hierarchy.

ptg

‘.’ Root

.com

.edu

.net

.org

companyabc.com

microsoft.com

10

sales.companyabc.com

FIGURE 10.1

DNS hierarchy.

The top of the hierarchy is known as the root, and is represented by a single . (dot).

Moving down the DNS hierarchy, the next layer in the model is made up of top-level

262

CHAPTER 10

Domain Name System and IPv6

domain (TLD) names, which are .com, .net, .gov, .fr, and similar domain namespaces

that loosely define the particular category that a domain namespace fits into. The Internet

Assigned Numbers Authority (IANA) oversees the global root zone management and

management of the TLDs. The IANA is operated by the Internet Corporation for Assigned

Names and Numbers (ICANN). The official list of all generic TLDs maintained by IANA is

given in Table 10.1.

TABLE 10.1

List of Generic Top-Level Domain Names

TLD

Purpose

.aero

Air Travel Industry

.asia

Asia-Pacific Region

.biz

Businesses

.cat

Catalan Language

.com

Commercial

.coop

Cooperatives

.edu

Educational Institutions

ptg

.gov

U.S. Government

.info

Informational

.int

International Organizations

.jobs

Companies (Job Postings)

.mil

U.S. Military

.mobi

Mobile Devices

.museum

Museums

.name

Individuals

.net

Network

.org

Organization

.pro

Professions

.tel

Internet Communications

.travel

Travel and Tourism Industry

For example, educational institutions are commonly given .edu extensions, and commer-

cial businesses are given .com extensions. These extensions form the first set of branches

to the DNS tree. The .biz, .com, .info, .name, .net, and .org are all open TLDs, meaning

Getting Started with DNS on Windows Server 2008 R2

263

any individual or entity can register the domains. Other TLDs have restrictions based on

the intended use.

In addition to the generic TLDs, the IANA maintains country-code TLDs. These country

codes are the two-letter codes specified in International Organization for Standardization

(ISO) 3166 standard. For example, .co is maintained for Colombia and .fr is maintained

for France. Interestingly, all the country-code TLDs listed in ISO 3166 are maintained, but

some are unused, such as the Saint Martin (.mf). There are also a handful of exceptions,

such as the listing for United Kingdom, which is listed in the ISO 3166 standard as .gb,

but .uk is used instead.

The second level in the DNS hierarchy commonly contains the business name of an orga-

nization, such as companyabc in Figure 10.1. This level is normally the first area in the

DNS hierarchy where an organization has control over the records within the domain and

where it can be authoritative.

Subdomains can easily be, and often are, created in the DNS hierarchy for various reasons.

For example, sales.microsoft.com is a potential domain that could exist as a sublevel of the

microsoft.com domain. The DNS hierarchy works in this way, with multiple levels possible.

Outlining the DNS Namespace

ptg

The bounded area that is defined by the DNS name is known as the DNS namespace.

Microsoft.com is a namespace, as is marketing.companyabc.com. Namespaces can be either

public or private. Public namespaces are published on the Internet and are defined by a

set of standards. All the .com, .net, .org, and similar namespaces are external, or public.

An internal namespace is not published to the Internet, but is also not restricted by exten-

sion name. In other words, an internal, unpublished namespace can occupy any conceiv-

able namespace, such as dnsname.local or companyabc.internal. Internal namespaces are

most often used with Active Directory because they give increased security to a name-

space. Because such namespaces are not published, they cannot be directly accessed from

the Internet.

Getting Started with DNS on Windows Server 2008 R2

To fully understand the capabilities that Windows Server 2008 R2 offers for DNS, the

product should be installed in a lab environment. This helps to conceptualize the various

components of DNS that are presented in this chapter.

10

Installing DNS Using the Add Roles Wizard

Although there are various ways to install and configure DNS, the most straightforward

and complete process involves invoking the Add Roles Wizard and the subsequent

Configure a DNS Server Wizard. The process detailed in this section illustrates the installa-

tion of a standard zone. Multiple variations of the installation are possible, but this partic-

ular scenario is illustrated to show the basics of DNS installation.

264

CHAPTER 10

Domain Name System and IPv6

NOTE

It is recommended that DNS servers are configured with static IPv4 addresses

because if the IP address changes, clients might be unable to contact the DNS server.

Installation of DNS on Windows Server 2008 R2 is straightforward, and no reboot is neces-

sary. To install and configure the DNS service on a Windows Server 2008 R2 computer,

follow these steps:

1. Launch Server Manager.

2. Select the Roles node and click the Add Roles link.

3. Click Next on the Before You Begin page.

4. Select the DNS Server role check box and click Next.

5. Click Next on the Introduction to DNS Server page.

6. Click Install on the Confirmation page to install the DNS role.

7. Click Close to exit the Add Roles Wizard.

The DNS role has been installed on the Windows Server 2008 R2 server, but has not been

configured. To configure the role, execute the following steps:

ptg

1. Launch Server Manager.

2. Expand the Roles, DNS Server, DNS nodes, and then select the DNS server name.

3. Select Action, Configure a DNS Server.

4. On the Welcome page for the Configure a DNS Server Wizard, click Next to continue.

5. Select Create Forward and Reverse Lookup Zones (Recommended for Large

Networks), and click Next.

6. Select Yes, Create a Forward Lookup Zone Now (Recommended), and click Next.

7. Select the type of zone to be created—in this case, choose Primary Zone—and click

Next. If the server is a writable domain controller, the Store the Zone in Active

Directory check box is available.

8. If storing the zone in Active Directory, select the replication scope and click Next.

9. Type the FQDN of the zone in the Zone Name box, and click Next.

10. At this point, if creating a non-AD-integrated zone, you can create a new zone text

file or import one from an existing zone file. In this case, choose Create a New File

with This File Name, and accept the default. Click Next to continue.

11. The subsequent page allows a zone to either accept or decline dynamic updates. For

this example, enable dynamic updates by selecting the Allow Both Nonsecure and

Secure Updates option button and clicking Next.