DNS Zones

Nov 30
2009
Leave a
Comment

Types of DNS Zones
When we need to put pen on paper and plan you DNS server you need to know all the Zones you can use to take all the benefits from this wonderful tool.
For example you can use Zone transfer to establish you Naming Servers or you can use Active Directory Integrated Zones if you want that all Zones will replicate automatically to each DNS server over your environment.

DNS Levels
Firs before we begin you must understand how DNS server works; you always need to remember that DNS resolve queries in Hierarchical way, Because of that you must know how levels to implicate in your Zones.
Here you have easy Example of DNS Hierarchically:
1. ‘ . ‘- DNS Default Root hints.

2. .COM – This called Top Level Domain (TLD).

3. Planning-tech.com - Planning-tech will be my Main Zone.

4. Creative.Planning-tech.com – Creative will be our Subzone.

Dns Zone Directions possibilities
Actually it’s very simple and I already explain it in my first post but for you who still don’t understand here us goes.
One thing you always need to remember when you configure your DNS server is that you have or can play with only two Zone Directions for each Zone.
Forward Lookup Zone
In that case you already know the Hostname and your DNS server will tell you the IP address of the Host you requested. When using Forward Lookup we get the option to find Hosts (A) and Name Servers (NS).
Reverse Lookup Zone
Here we have the opposite; we know the IP address and the DNS server will resolve it to Hostname. You also need to know that Reveres Zone is a security problem and you need to use it for particular assignments, for example, if you need to establish connection to an SMTP mail relay or you want to use NS lookup.

Now after you got the basics let’s see what kind of Zones you can use.
Active Directory – Integrated Zone
This is the most relevant option to use for most organizations, it’s recommended to use when you have only DNS servers and not UNIX servers around your environment, if this is the case you found the best solution to use in that case.
The main reason to use the Active Directory – Integrated Zone is because the replication benefits you receive when you use it. I will explain it in few words so you can understand.
For example:
If you have DNS1 server that holds your DNS zones and you install second DNS2 server for redundancy all the changes you made in one of the servers will replicate automatically to the other DNS server (Remember Active Directory Sites Servers to determine the replica configuration).
In other words Active Directory – Integrated Zone is unique Primary Zone that can function only if all the servers she resides on are Domain-Controllers.

Primary Zones
The primary zone is the Main authoritative Zone (Copy of our DNS zone), her e we have the place that all records are created and manage by the server and the administrator. On this zone type you can create, change or delete all records because Primary Zone is a Writable Zone.

Secondary Zone
Not like the Primary Zone, The Secondary Zone is Read-Only copy and record changes are not possible on these types of zones. Because we cannot chnge the records directly all records changes create from the Primary Zone Replication.
For me the only time I want to use this option is when I want to create Domain-Trusts or when I want to create redundancy.
Stub Zone
The Stub Zone is a copy of your Zones but it’s unique because the only records that this zone can supply for you are the records that can resolve the authoritative DNS server for that zone. The Stub Zone contains records types of SOA, NS and A records.

 
Secure and Non Secure Dynamic Updates
Dynamic Updates was first available from Win2000, has you already know we talking about Hugh advantage and pure benefits to the IT guys. Just imagine the times before Win2000 in the “Stone Age” where you suppose to update all your DNs records manually.
When we talking about Secure Updates help us to make our DNS server much more secure than before, when using secure updates only computers that have Object created in Active-Directory can Update or Add their record in the org DNS server (We talking about the A record in case you miss it …).
Note!
Microsoft recommends that when using Active-Directory Integrated Zones Enable the “Secure only” for Dynamic Updates.

Written by admin in: DNS Server |

DNS Zone Features

Nov 28
2009
Leave a
Comment

Forward Lookup Zone

Holds all three Zones available:

  • Primary Zone.
  • Secondary Zone.
  • Stub Zone.

Records Types per Zone:

 

  • Primary Zone :

SOA, A, CNAME.MX.NS, SRV

 

  • Secondary Zone:

SOA, A, CNAME.MX.NS, SRV

 

  • Stub Zone:

SOA, A, NS

 

Reverse Lookup Zone

Holds all three Zones available:

  • Primary Zone.
  • Secondary Zone.
  • Stub Zone.

Records Types per Zone:

  • Primary Zone:

SOA, PTR

  • Secondary Zone:

SOA, PTR

 

  • Stub Zone:

SOA, NS, A

 

Written by admin in: DNS Server |

DNS Queries – Iterative and Recursive

Nov 28
2009
Leave a
Comment

 

In this article I will try to explain you the type of answer you will get when you set a query to your DNS server.

The Recursive name query

When a client sends request to a Recursive type of DNS server he most gets a response no matter if the server an autoretive to response or not. In this case the server can respond in two different ways.

The first option is that the DNS servers hold the record for the requested client query, and will respond as it’s supposed to for the specific record type.

The second option is that the DNS server is not holding the requested record for the client query; in that case the server will send an error message to the client and not forward the client query to another DNS server to try to resolve the client query.

The Recursive name queries can be made by clients to a DNS server or from one DNS server to a second DNS server (To set queries between to DNS servers we need to set the second DNS server as Forwarder).

Here we need to remember one easy role!

No matter if the server can or cannot resolve the client query he is the last stage for the client queries.

The Iterative name query

When a client sends request to a Iterative type of DNS server he also allow the server to forward is request in case the server don’t holds the record for is query to another DNS server that holds the record and can answer the correct respond to the query forward to him .

 These types of queries typically established between two different DNS servers.

Here I will show you an example of those two queries types.

  1. User connects to DNS1 with a Recursive query for dudu.planning-tech.com.

 

Note!

In that case the DNS1 server must respond to the client query with the correct answer or an error massage.

 

  1. DNS1 need to check if he has an answer to the query and couldn’t find the correct record for it.

 

Note!

DNS1 will check both is Zones and is Cache to see if he can answer the client query.

 

  1. Because DNS1 cannot respond the correct answer to the client query he send a recursive request to alterative DNS server over the internet.

 

Note!

DNS servers holds by default the “Root Hints” that help him sends queries to other DNS servers around the net.

 

  1. The root DNS server from the internet also cannot resolve the request from DNS1.

 

  1. The root DNS server try to resolve the request with autorative DNS server for .Com domain name.

 

  1. DNS1 establish connection to the .COM domain with Iterative query for dudu.planning-tech.com.

 

  1. Now the server responsible for the .Com domain doesn’t know the full answer for the client query so he answer with referral to server authorities for the planning-tech.com.

 

  1. DNS1 connects to the server holds the planning-tech.com.

 

  1. The planning-tech.com server also doesn’t know the full answer so he responds with the requested IP.

 

  1.   After all this process DNS1 now can respond the user with the IP address to “dudu.planning-tech.com.”
Written by admin in: DNS Server |

DNS Records types

Nov 26
2009
Leave a
Comment

We use different resource records to resolve many types of queries in today environment. The purpose of DNS query is to help us locate the server how’s Authoritative for ad Domain Controller, is mission is to check the query to its resource records.

 

Types of Records and what they here:

 

_SRV and _MSDSC records:

Thus two records I created by default when you install your DNS role in your environment and it required for communication with Active Directory.

This record helps us to see the services available and make the connection between client’s computers and the Domain Controllers with the resolve of the DC ip addresses.

For r example we can see our DNS servers, our Active-Directory servers and our Global Catalog servers.

SOA (State of Authority) Records:

This is the most important record that DNS server as to offer and for easy life for us the administrators we better know how to manage this record so we have easy life controlling our DNS server .we also need to remember that we have only on SOA record in a ZONE.

Basically this record contain all the information of our DNS server and Domain, for example in the SOA we can get information about updates and the time they occur in our domain, we also can specify our E-mail address in case we not in work because we transfer to a bigger office and we make much more money and our replacement need to ask stupid questions. We need also know that good SOA configuration helps us to save replication times in our domain.

 

MX Records:

If I have one way to describe the purpose of the MX records I would say that we use this type of records to help servers to deliver email between them.

The e-mail delivery can occur in your internal environment or to other external domains.

The process is very simple:

Client from planning-tech domain sends E-mail to other client that’s belonging to Microsoft domain.

The mail that send to an SMTP server and he checks the MX record of the domain in the send E-mail (XXX@IBM.com) if the SMTP server finds the MX record to be correctly configured he then checks for the A record for that domain and establish the connection to this Mail Server .

We can create multiple MX records (For redundancy or to create balance between our Exchange servers) with priority between them ,so when the SMTP server try one of our MX record he will chose the one with the lower number and if it’s not active he goes to the second priority MX record with higher number.

 NS Records:

This record simply helps us knowing the authorities DNS servers we have in our environment.

We need to know\use the NS records when we create forwarders between DNS servers both Internal and External DNS servers.

PTR Records:

First we need to know that we cannot create PTR record by default, to create the PTR records we firs need to create additional Zone called “Reverse Lockup”.

The PTR record maps the ip addresses into Hostnames. When you use this types of records you need to know that it’s also can allow security problems because attacker can easily create a “Reverse DNS Lookup “ and by that achieve the target to know all your domains name and other security problems(But that will explained in other post…).

The main purpose of the PTR records is to help us establish connection to an SMTP mail relay that must have the PTR record to function properly so we can enjoy Mail-Flow.

 

A Host Record:

This is the classic record that DNS server as to offer, the only thing that “A” record do is to map Hostnames into IP addresses. We can set one A record to an IP address because if we set A record to one or more IP address we have conflicts in our DNS server. The A record also help us to set static IP addresses to our Domain Controllers that must have (Or let’s say that it’s recommended by Microsoft…)Static IP addresses (Imagine your DC change is IP address ….not so recommended….).

For Example:

www.XXX.com Equaled to 192.XXX.XXX.X

 

CName Record:

Cname is a canonical name Record that helps us to map our “A” records (Hosts Names) to a different path like another hostname or to different FQDN.

Written by admin in: DNS Server |

NSLookup to make our Dns life better!

Nov 21
2009
Leave a
Comment

NSLookup is fantastic toll that help us to resolve troubleshooting in DNS server role. At first when you type the NSLookup command we will see the HOST and the IP address of the DNS server that configures as our DNS server.

Note!

To exit the NSLookup too all you need to do is to type “exit”.

You need to know that when you run the NSLookup too it’s always search for your Local Domain unless you provide a different FQDN.

For example we can resolve HOST names into IP’s:

Nslookup www.Microsoft.com

Server: lb1.www.ms.akadns.net

Address: 207.46.19.190

We also can query for the opposite:

NSLookup 207.46.19.190

Server: www.microsoft.com

Address: 207.46.19.190

Now I will provide you all the switches NSLookup as to offer to help you the best as possible:

Switch and the function he provides:

NSLookup -> here we lunches NSLookup tool.

Set Host Name -> Return the IP of the host name we provide.

 

Set Timeout=X -> here we determine the interval time limits.

Set ->

Here we can chose the query return type (A, ANY, CNAME, MX, NS.PTR, SOA, SRV).

Set Querytype -> exactly like type.

 

 

Written by admin in: Active Directory 2003 |

FSMO Roles

Nov 12
2009
Leave a
Comment

The FSMO (flexible single master operations) roles assigned in our environment to Domain-Controllers and provide us the ability to manage our environment without Conflicts , The FSMO roles can be transfer between Domain-Controllers and that’s provide us the ability to manage our environment in much more flexibility .

There are 5 FSMO roles in a forest; from the 5 roles 2 of them will provide services in the Forest level and the other 3 in the domain level.

 The Forest level Fsmo:

  • Schema Master Role – The schema master Role is responsible to update the Schema Partition. The DC that contains the Schema master is the only one in our entire environment that can update the Schema directory. As you already know from my other articles, when this update finish the schema will replicate to all other DC in our directory.

Note!

We have only ONE schema master per directory!

 

  • Domain Naming Master Role – This role is the one that provide us the ability to make changes in the Forest-Wide domain name of our directory. The DC that holds this role is the only one that can add or Remove new DC from our forest.

 

The Domain level Fsmo:

  • RID Master Role – The RID role hosts on a single DC, This DC responsible for the RID pool requests from all other DC in a domain. This role is also responsible to add or Remove objects from a domain and transfer it to other DC (Users, computers…).

The RID responsible to add Security Principal to objects in our environment (Users, Computers, Groups …) called SID ,This SID is unique in all our domain and cannot duplicate to other object in our domain .

 

  • PDC Emulator Role – These roles provide us many services, the first responsibility is to Sync times in windows 2000 environment (W32Time Service) that requires for Kerberos Autantication, The time that this FSMO provides will gather from an external source like Microsoft servers for example.

 

The PDC role is the role that provides us the most services and from this we can said that this role is the busy one on our environment, here are few Examples:

 

-          This role helps us to replicate the Sysvol folder in our environment.

-          Manage all passwords changes in our domains to ensure that accounts that not supply the right credentials will be locked and replicate Password across domains.

 

  • Infrastructure Master Role – This role provide us the ability to update all objects SID’S and distinguished name in cross domains , this happens when object from one domain referenced with object from another DC.

 

FSMO levels:

Schema master                                         : One per forest.

Domain Naming Master                        : One per forest.

PDC Emulator                                            : One per domain.

RID Master                                                 : One per domain.

Infrastructure Master                            : One per domain.

 

Worst Case Scenario – What Happens’ if Fsmo fails…?

  • Schema Master - If this FSMO role fails we cannot add object to our Schema Partition. And for that reason we cannot change object or their Attributes.

 

  • Domain Naming Master - Here it’s easy to understand the problem that we have when this FSMO fails, we simply cannot be abeles to add new DC to the forest and we also cannot demote existing Domain-Controllers. We need to pay attention that our environment will function till we net do manage Domain –Controllers in our forest. 

 

  • PDC Emulator – like we describe this role is the one that provides most services for that reason when this role not function probably will cause us the biggest problems in our environment.

 

  • Rid Master – First we need to know that each Domain-Controller In our domain contains pool of RID’S, so we only have problems if we want to add many object (Users, Computers…).

 

  • Infrastructure master – Here we need to understand the difference between Single Domain environment (IF this FSMO fails it’s not relevant to this scenario) and Multi-Domain environment (If this FSMO fails we cannot add object from one DC to another).

 

Microsoft Recommendations for placing FSMO roles

First we need to know that the first Domain-Controller installed in a forest holds all five FSMO.

When we add more DC’S we can transfer the FSMO from the firs DC installed on the forest (It’s not happened automatically so we need to manage the transfers manually).

 

As you already understand it’s nice to have more then on Domain-Controller in a forest so we can enjoy more redundancy and more flexibility to manage FSMO roles, here are MICROSOFT recommendations to manage FSMO roles in a FOREST environment:

 

  1. The Schema Master and Domain Naming Master should reside on the same server, and that machine should be a Global Catalog server.  

 

  1. The Infrastructure Master should not be on the same server that acts as a Global Catalog server.

 

Note!
 Global Catalog contains information about every object in the forest. When the Infrastructure Master, which is responsible for updating Active Directory information about cross domain object changes, needs information about objects not in its domain, it contacts the Global Catalog server for this information.  If they both reside on the same server, then the Infrastructure Master will never think there are changes to objects that reside in other domains because the Global Catalog will keep it contently updated.  This would result in the Infrastructure Master never replicating changes to other domain controllers in its domain.
Note!

 In a single domain environment this is not an issue.

 

Permissions

 

To be able to transfer FSMO you need the appropriate Permissions, every FSMO needs is own Permissions:

 

  • Schema Master                             : Schema Admins group.
  • Domain Naming Master            : Enterprise Admins group.
  • PDC Emulator                               : Domain Admins group.
  • RID Master                                    : Domain Admins group.
  • Infrastructure Master              : Domain Admins group.

 

 

So where can we found the FSMO holders…?

 

  • The Easiest way is to work with NETDOM Utility; we can find it in Microsoft “Support Tools” or in Win 2003 “Resource kit”.

Now all we need to do is go to the command line and type the following command:

“Netdom query fsmo”

After the command finishes we will see a list of Domain-Controllers and the role that they hosts.

 

  • The second way is to use Administrative Tools Snap-In :

 

-          Open Users and Computers press Right Click on The domain name and choose “operations Master”. Now you should see a box indicates the server FSMO’S.

 

The FSMO’S that we can see here will be:

  1. Rid Master.
  2. Pdc Emulator.
  3. Infrastructure Master.

 

-           Open Domains and Trusts press Right Click on The domain name and choose “operations Master”. Now you should see a box indicates the server FSMO.

Here we can see only the Domain naming FSMO.

 

-          To see the Schema Holder we need to add a blank MMC and add the “Active Directory Schema”.

Written by admin in: Active Directory 2003 |

Visit Our Friends!

A few highly recommended friends...

Archives

All entries, chronologically...

Pages List

General info about this blog...