• Chapter 1. Installing and Configuring Windows Server 2003
  • software development Company Server 2003
  • Chapter 1. Installing and Configuring Windows Server 2003
  • New Features in Windows Server 2003
  • Best Practices
  • Moving Forward
  • Version Comparisons
  • Hardware Recommendations
  • Installation Checklist
  • Functional Overview of Windows Server 2003 Setup
  • Installing Windows Server 2003
  • Post Setup Configurations
  • Functional Description of the Windows Server 2003 Boot Process
  • Correcting Common Setup Problems
  • Chapter 2. Performing Upgrades and Automated Installations
  • New Features in Windows Server 2003
  • NT4 Upgrade Functional Overview
  • Upgrading an NT4 or Windows 2000 Server
  • Automating Windows Server 2003 Deployments
  • Moving Forward
  • Chapter 3. Adding Hardware
  • New Features in Windows Server 2003
  • Functional Description of Windows Server 2003 Architecture
  • Overview of Windows Server 2003 Plug and Play
  • Installing and Configuring Devices
  • Troubleshooting New Devices
  • Moving Forward
  • Chapter 4. Managing NetBIOS Name Resolution
  • New Features in Windows Server 2003
  • Moving Forward
  • Overview of Windows Server 2003 Networking
  • Name Resolution and Network Services
  • Network Diagnostic Utilities
  • Resolving NetBIOS Names Using Broadcasts
  • Resolving NetBIOS Names Using Lmhosts
  • Resolving NetBIOS Names Using WINS
  • Managing WINS
  • Disabling NetBIOS-over-TCP/IP Name Resolution
  • Chapter 5. Managing DNS
  • New Features in Windows Server 2003
  • Configuring a Caching-Only Server
  • Configuring a DNS Server to Use a Forwarder
  • Managing Dynamic DNS
  • Configuring Advanced DNS Server Parameters
  • Examining Zones with Nslookup
  • Command-Line Management of DNS
  • Configuring DHCP to Support DNS
  • Moving Forward
  • Overview of DNS Domain Structure
  • Functional Description of DNS Query Handling
  • Designing DNS Domains
  • Active Directory Integration
  • Configuring DNS Clients
  • Installing and Configuring DNS Servers
  • Configuring Secondary DNS Servers
  • Integrating DNS Zones into Active Directory
  • Chapter 6. Understanding Active Directory Services
  • New Features in Windows Server 2003
  • Active Directory Support Files
  • Active Directory Utilities
  • Bulk Imports and Exports
  • Moving Forward
  • Limitations of Classic NT Security
  • Directory Service Components
  • Brief History of Directory Services
  • X.500 Overview
  • LDAP Information Model
  • LDAP Namespace Structure
  • Active Directory Namespace Structure
  • Active Directory Schema
  • Chapter 7. Managing Active Directory Replication
  • New Features in Windows Server 2003
  • Replication Overview
  • Detailed Replication Transaction Descriptions
  • Designing Site Architectures
  • Configuring Inter-site Replication
  • Controlling Replication Parameters
  • Special Replication Operations
  • Troubleshooting Replication Problems
  • Moving Forward
  • Chapter 8. Designing Windows Server 2003 Domains
  • New Features in Windows Server 2003
  • Design Objectives
  • DNS and Active Directory Namespaces
  • Domain Design Strategies
  • Strategies for OU Design
  • Flexible Single Master Operations
  • Domain Controller Placement
  • Moving Forward
  • Chapter 9. Deploying Windows Server 2003 Domains
  • New Features in Windows Server 2003
  • Preparing for an NT Domain Upgrade
  • In-Place Upgrade of an NT4 Domain
  • In-Place Upgrade of a Windows 2000 Forest
  • Migrating from NT and Windows 2000 Domains to Windows Server 2003
  • Additional Domain Operations
  • Moving Forward
  • Chapter 10. Active Directory Maintenance
  • New Features in Windows Server 2003
  • Loss of a DNS Server
  • Loss of a Domain Controller
  • Loss of Key Replication Components
  • Backing Up the Directory
  • Performing Directory Maintenance
  • Moving Forward
  • Chapter 11. Understanding Network Access Security and Kerberos
  • New Features in Windows Server 2003
  • Windows Server 2003 Security Architecture
  • Security Components
  • Password Security
  • Authentication
  • Analysis of Kerberos Transactions
  • MITv5 Kerberos Interoperability
  • Security Auditing
  • Moving Forward
  • Chapter 12. Managing Group Policies
  • New Features in Windows Server 2003
  • Group Policy Operational Overview
  • Managing Individual Group Policy Types
  • Moving Forward
  • Chapter 13. Managing Active Directory Security
  • New Features in Windows Server 2003
  • Overview of Active Directory Security
  • Using Groups to Manage Active Directory Objects
  • Service Accounts
  • Using the Secondary Logon Service and RunAs
  • Using WMI for Active Directory Event Notification
  • Moving Forward
  • Chapter 14. Configuring Data Storage
  • New Features in Windows Server 2003
  • Functional Description of Windows Server 2003 Data Storage
  • Performing Disk Operations on IA32 Systems
  • Recovering Failed Fault Tolerant Disks
  • Working with GPT Disks
  • Moving Forward
  • Chapter 15. Managing File Systems
  • New Features in Windows Server 2003
  • Overview of Windows Server 2003 File Systems
  • NTFS Attributes
  • Link Tracking Service
  • Reparse Points
  • File System Recovery and Fault Tolerance
  • Quotas
  • File System Operations
  • Moving Forward
  • Chapter 16. Managing Shared Resources
  • New Features in Windows Server 2003
  • Functional Description of Windows Resource Sharing
  • Configuring File Sharing
  • Connecting to Shared Folders
  • Resource Sharing Using the Distributed File System (Dfs)
  • Printer Sharing
  • Configuring Windows Server 2003 Clients to Print
  • Managing Print Services
  • Moving Forward
  • Chapter 17. Managing File Encryption
  • New Features in Windows Server 2003
  • File Encryption Functional Description
  • Certificate Management
  • Encrypted File Recovery
  • Encrypting Server-Based Files
  • EFS File Transactions and WebDAV
  • Special EFS Guidelines
  • EFS Procedures
  • Moving Forward
  • Chapter 18. Managing a Public Key Infrastructure
  • New Features in Windows Server 2003
  • Moving Forward
  • PKI Goals
  • Cryptographic Elements in Windows Server 2003
  • Public/Private Key Services
  • Certificates
  • Certification Authorities
  • Certificate Enrollment
  • Key Archival and Recovery
  • Command-Line PKI Tools
  • Chapter 19. Managing the User Operating Environment
  • New Features in Windows Server 2003
  • Side-by-Side Assemblies
  • User State Migration
  • Managing Folder Redirection
  • Creating and Managing Home Directories
  • Managing Offline Files
  • Managing Servers via Remote Desktop
  • Moving Forward
  • Chapter 20. Managing Remote Access and Internet Routing
  • New Features in Windows Server 2003
  • Configuring a Network Bridge
  • Configuring Virtual Private Network Connections
  • Configuring Internet Authentication Services (IAS)
  • Moving Forward
  • Functional Description of WAN Device Support
  • PPP Authentication
  • NT4 RAS Servers and Active Directory Domains
  • Deploying Smart Cards for Remote Access
  • Installing and Configuring Modems
  • Configuring a Remote Access Server
  • Configuring a Demand-Dial Router
  • Configuring an Internet Gateway Using NAT
  • Chapter 21. Recovering from System Failures
  • New Features in Windows Server 2003
  • Functional Description Ntbackup
  • Backup and Restore Operations
  • Recovering from Blue Screen Stops
  • Using Emergency Management Services (EMS)
  • Using Safe Mode
  • Restoring Functionality with the Last Known Good Configuration
  • Recovery Console
  • Moving Forward
  • Who Should Read This Book
  • Who This Book Is Not For
  • Conventions
  • Acknowledgments
  • About the Author
  • About the Technical Reviewers
  • Index
  • Index A
  • Index B
  • Index C
  • Index D
  • Index E
  • Index F
  • Index G
  • Index H
  • Index I
  • Index J
  • Index K
  • Index L
  • Index M
  • Index N
  • Index O
  • Index P
  • Index Q
  • Index R
  • Index S
  • Index SYMBOL
  • Index T
  • Index U
  • Index V
  • Index W
  • Index X
  • Index Z
  • Preface
  • Previous Section Next Section

    Managing Dynamic DNS

    Keeping a traditional DNS zone updated with new resource records requires lots of manual work. A large network with thousands of servers needs a full-time administrator just to manage DNS. With Dynamic DNS, clients and servers can register their A records automatically at boot time. Application servers can register SRV and other specialized records. Outdated records can be scavenged periodically to prevent clutter. It's a fairly automated process. Dynamic DNS probably won't do away with the need for full-time DNS management in a big network, but it should help rescue the administrator from a little of the tedium.

    This topic covers how to enable Dynamic DNS in Windows Server 2003, how to configure security so that only trusted clients can register their resource records, and how to maintain the zone to prevent accumulating outdated records.

    Configuring a Dynamic Zone

    After you have installed and configured a Windows Server 2003 running DNS, enable Dynamic DNS for a particular zone as shown in Procedure 5.18.

    Procedure 5.18 Configuring a Dynamic Zone

    1. Open the DNS console.

    2. Right-click the zone that you want to configure for Dynamic DNS and select PROPERTIES from the flyout menu. The Properties window opens.

    3. In the Allow Dynamic Updates drop-down box, select Yes.

    4. Click OK to save the change and return to the DNS console.

    5. Verify that dynamic registration works by opening a command prompt at a Windows Server 2003 client that is configured to use this DNS server and entering ipconfig /registerdns. The host record is added to the zone file automatically. You may need to refresh the console to see it.

    You must configure the reverse lookup zones for dynamic updates, as well. If you fail to do this, DNS will add A records but not PTR records when new clients come online.

    Managing Dynamic DNS Security

    If you enable Dynamic DNS with no security options, it is possible that a computer can come online with the same name as a host that is already in the zone and overwrite the A record. This has the potential to be very disruptive. Imagine that your company post office has the name MAIN-PO. A user could bring a workstation online called MAIN-PO and DNS would obediently overwrite the A record of the post office. If it is a malicious user doing this, you have a real problem.

    The only way to avoid this behavior is to integrate the zone into Active Directory and require that Dynamic DNS clients be members of the domain. This avoids overwrite problems because two computers are not permitted to have the same name in an Active Directory domain.

    After a zone has been integrated into the Directory, the resource records are protected by Active Directory object security. DNS clients that are not domain members cannot dynamically register their host records. Figure 5.16 shows a System log error from the DNSAPI service on a Windows Server 2003 DNS client that has attempted to register a host record when it is not a member of the domain.

    Figure 5.16. Event Properties from System log showing rejected registration attempt by client that is not a domain member.

    graphics/05fig16.gif

    The disadvantage to this security method is that not all your desktops might be running a modern Windows client. They might not even be running Windows. You can dynamically register DHCP clients using Windows Server 2003 or Windows 2000 DHCP. See "Configuring DHCP to Support DNS" for details.

    Disabling DNS on an Interface

    If you do not Directory Integrate a dynamic zone, you can at least take steps to prevent outsiders from registering records on your server. If you have a DNS server with two network interfaces, for example, one connected to the public network and the other connected to the local network, you can disable DNS (and Dynamic DNS registrations) on the public interface. Do this by completing the steps in Procedure 5.19.

    Procedure 5.19 Disabling DNS on an Interface

    1. Open the DNS console.

    2. Right-click the server icon and select PROPERTIES from the flyout menu. The Properties window opens with the Interfaces tab selected.

    3. Under Listen On, select the Only the Following IP Addresses option.

    4. Use the Remove button to delete all but the private interface.

    5. Click OK to save the new settings and return to the DNS console.

    6. Close the console.

    Registry Tip: Dynamic Updates

    The Listen On option sets the following Registry value:

    Key:

    HKLM | System | CurrentControlSet | Services | TcpIp | Parameters | Interfaces | {GUID}

    Value:

    DisableDynamicUpdate

    Data:

    0x1 disables updates; 0x0 enables updates

    Configuring Scavenging

    Dynamically registered records can become obsolete when machines crash or come on and off the network at infrequent intervals, as laptops are prone to do. When scavenging is enabled, DNS applies an aging value to dynamically registered resource records. Scavenging removes records that have not been refreshed for more than 14 days.

    If you enable scavenging, the format of the zone file changes to allow room for the aging value. This is a proprietary change, so you cannot move the zone file to a non-Windows Server 2003 name server. A standard secondary can pull a zone because the DNS server will filter out the aging records.

    Scavenging can be enabled for a single zone or for all zones on the server. Enable scavenging for a zone as follows in Procedure 5.20.

    Procedure 5.20 Configuring Scavenging

    1. Open the DNS console.

    2. Right-click the zone icon and select PROPERTIES from the flyout menu. The Properties window opens.

    3. At the General tab, click Aging. The Zone Aging/Scavenging Properties window opens.

    4. Select the Scavenge Stale Resource Records option.

    5. Leave the default seven-day values for No-Refresh Interval and Refresh Interval.

    6. Click OK to save the settings. A warning message appears informing you that the zone file record format will be changed.

    7. Click Yes to acknowledge the warning and apply the change.

    8. At the Properties window, click OK to save the changes and close the window.

    From this point forward, any new dynamic registrations are assigned an aging value. Old records will be purged when scavenge runs. Set scavenging to run periodically as follows in Procedure 5.21.

    Procedure 5.21 Setting Periodic Scavenging

    1. Right-click the server icon and select PROPERTIES from the flyout menu. The Properties window opens.

    2. Select the Advanced tab (see Figure 5.17).

      Figure 5.17. DNS Server Properties window—Advanced tab showing automatic scavenging enabled.

      graphics/05fig17.gif

    3. Select the Enable Automatic Scavenging of Stale Records option.

    4. Leave the Scavenging Period set for the default of seven days.

    5. Click OK to save the settings and close the window.

    You should arrange to check the status of the zone file periodically to make sure that scavenge is working. If you see many old records that should have been scavenged, try scavenging them manually. If that succeeds, check your periodic scavenging settings. If it does not succeed, make sure that you have correctly configured scavenging to work for the zone.

    WINS Forwarding

    Although WINS forwarding is not strictly a Dynamic DNS feature, it is covered here because it provides essentially the same service.

    In NT4 DNS, Microsoft introduced a couple of new DNS resource records, WINS and WINS-R, that contain the IP address of a WINS server to use in the event that a host address cannot be located in the local zone file. This record is added and configured using a special properties page in the zone properties. Access the page by right-clicking the zone icon and selecting PROPERTIES from the flyout menu and then selecting the WINS tab. A similar page for the WINS-R record is present in the Properties window for a reverse lookup zone. Figure 5.18 shows an example.

    Figure 5.18. Zone Properties window showing the WINS tab.

    graphics/05fig18.gif

    The Use WINS Forward Lookup option is disabled by default. When selected, it creates a WINS resource record. A Windows Server 2003 running DNS recognizes this WINS record and uses it to locate a WINS server to use for forwarding.

    If you elect to use WINS forwarding, add the IP address of at least one WINS server to the list by entering the IP address and clicking Add. You can specify more than one WINS server for fault tolerance.

    The Do No Replicate This Record option is not selected by default. It prevents replicating the WINS record to DNS servers that do not recognize the record type.

      Previous Section Next Section