• Chapter 1. Installing and Configuring Windows Server 2003
  • software development Company Server 2003
  • Chapter 1. Installing and Configuring Windows Server 2003
  • New Features in Windows Server 2003
  • Best Practices
  • Moving Forward
  • Version Comparisons
  • Hardware Recommendations
  • Installation Checklist
  • Functional Overview of Windows Server 2003 Setup
  • Installing Windows Server 2003
  • Post Setup Configurations
  • Functional Description of the Windows Server 2003 Boot Process
  • Correcting Common Setup Problems
  • Chapter 2. Performing Upgrades and Automated Installations
  • New Features in Windows Server 2003
  • NT4 Upgrade Functional Overview
  • Upgrading an NT4 or Windows 2000 Server
  • Automating Windows Server 2003 Deployments
  • Moving Forward
  • Chapter 3. Adding Hardware
  • New Features in Windows Server 2003
  • Functional Description of Windows Server 2003 Architecture
  • Overview of Windows Server 2003 Plug and Play
  • Installing and Configuring Devices
  • Troubleshooting New Devices
  • Moving Forward
  • Chapter 4. Managing NetBIOS Name Resolution
  • New Features in Windows Server 2003
  • Moving Forward
  • Overview of Windows Server 2003 Networking
  • Name Resolution and Network Services
  • Network Diagnostic Utilities
  • Resolving NetBIOS Names Using Broadcasts
  • Resolving NetBIOS Names Using Lmhosts
  • Resolving NetBIOS Names Using WINS
  • Managing WINS
  • Disabling NetBIOS-over-TCP/IP Name Resolution
  • Chapter 5. Managing DNS
  • New Features in Windows Server 2003
  • Configuring a Caching-Only Server
  • Configuring a DNS Server to Use a Forwarder
  • Managing Dynamic DNS
  • Configuring Advanced DNS Server Parameters
  • Examining Zones with Nslookup
  • Command-Line Management of DNS
  • Configuring DHCP to Support DNS
  • Moving Forward
  • Overview of DNS Domain Structure
  • Functional Description of DNS Query Handling
  • Designing DNS Domains
  • Active Directory Integration
  • Configuring DNS Clients
  • Installing and Configuring DNS Servers
  • Configuring Secondary DNS Servers
  • Integrating DNS Zones into Active Directory
  • Chapter 6. Understanding Active Directory Services
  • New Features in Windows Server 2003
  • Active Directory Support Files
  • Active Directory Utilities
  • Bulk Imports and Exports
  • Moving Forward
  • Limitations of Classic NT Security
  • Directory Service Components
  • Brief History of Directory Services
  • X.500 Overview
  • LDAP Information Model
  • LDAP Namespace Structure
  • Active Directory Namespace Structure
  • Active Directory Schema
  • Chapter 7. Managing Active Directory Replication
  • New Features in Windows Server 2003
  • Replication Overview
  • Detailed Replication Transaction Descriptions
  • Designing Site Architectures
  • Configuring Inter-site Replication
  • Controlling Replication Parameters
  • Special Replication Operations
  • Troubleshooting Replication Problems
  • Moving Forward
  • Chapter 8. Designing Windows Server 2003 Domains
  • New Features in Windows Server 2003
  • Design Objectives
  • DNS and Active Directory Namespaces
  • Domain Design Strategies
  • Strategies for OU Design
  • Flexible Single Master Operations
  • Domain Controller Placement
  • Moving Forward
  • Chapter 9. Deploying Windows Server 2003 Domains
  • New Features in Windows Server 2003
  • Preparing for an NT Domain Upgrade
  • In-Place Upgrade of an NT4 Domain
  • In-Place Upgrade of a Windows 2000 Forest
  • Migrating from NT and Windows 2000 Domains to Windows Server 2003
  • Additional Domain Operations
  • Moving Forward
  • Chapter 10. Active Directory Maintenance
  • New Features in Windows Server 2003
  • Loss of a DNS Server
  • Loss of a Domain Controller
  • Loss of Key Replication Components
  • Backing Up the Directory
  • Performing Directory Maintenance
  • Moving Forward
  • Chapter 11. Understanding Network Access Security and Kerberos
  • New Features in Windows Server 2003
  • Windows Server 2003 Security Architecture
  • Security Components
  • Password Security
  • Authentication
  • Analysis of Kerberos Transactions
  • MITv5 Kerberos Interoperability
  • Security Auditing
  • Moving Forward
  • Chapter 12. Managing Group Policies
  • New Features in Windows Server 2003
  • Group Policy Operational Overview
  • Managing Individual Group Policy Types
  • Moving Forward
  • Chapter 13. Managing Active Directory Security
  • New Features in Windows Server 2003
  • Overview of Active Directory Security
  • Using Groups to Manage Active Directory Objects
  • Service Accounts
  • Using the Secondary Logon Service and RunAs
  • Using WMI for Active Directory Event Notification
  • Moving Forward
  • Chapter 14. Configuring Data Storage
  • New Features in Windows Server 2003
  • Functional Description of Windows Server 2003 Data Storage
  • Performing Disk Operations on IA32 Systems
  • Recovering Failed Fault Tolerant Disks
  • Working with GPT Disks
  • Moving Forward
  • Chapter 15. Managing File Systems
  • New Features in Windows Server 2003
  • Overview of Windows Server 2003 File Systems
  • NTFS Attributes
  • Link Tracking Service
  • Reparse Points
  • File System Recovery and Fault Tolerance
  • Quotas
  • File System Operations
  • Moving Forward
  • Chapter 16. Managing Shared Resources
  • New Features in Windows Server 2003
  • Functional Description of Windows Resource Sharing
  • Configuring File Sharing
  • Connecting to Shared Folders
  • Resource Sharing Using the Distributed File System (Dfs)
  • Printer Sharing
  • Configuring Windows Server 2003 Clients to Print
  • Managing Print Services
  • Moving Forward
  • Chapter 17. Managing File Encryption
  • New Features in Windows Server 2003
  • File Encryption Functional Description
  • Certificate Management
  • Encrypted File Recovery
  • Encrypting Server-Based Files
  • EFS File Transactions and WebDAV
  • Special EFS Guidelines
  • EFS Procedures
  • Moving Forward
  • Chapter 18. Managing a Public Key Infrastructure
  • New Features in Windows Server 2003
  • Moving Forward
  • PKI Goals
  • Cryptographic Elements in Windows Server 2003
  • Public/Private Key Services
  • Certificates
  • Certification Authorities
  • Certificate Enrollment
  • Key Archival and Recovery
  • Command-Line PKI Tools
  • Chapter 19. Managing the User Operating Environment
  • New Features in Windows Server 2003
  • Side-by-Side Assemblies
  • User State Migration
  • Managing Folder Redirection
  • Creating and Managing Home Directories
  • Managing Offline Files
  • Managing Servers via Remote Desktop
  • Moving Forward
  • Chapter 20. Managing Remote Access and Internet Routing
  • New Features in Windows Server 2003
  • Configuring a Network Bridge
  • Configuring Virtual Private Network Connections
  • Configuring Internet Authentication Services (IAS)
  • Moving Forward
  • Functional Description of WAN Device Support
  • PPP Authentication
  • NT4 RAS Servers and Active Directory Domains
  • Deploying Smart Cards for Remote Access
  • Installing and Configuring Modems
  • Configuring a Remote Access Server
  • Configuring a Demand-Dial Router
  • Configuring an Internet Gateway Using NAT
  • Chapter 21. Recovering from System Failures
  • New Features in Windows Server 2003
  • Functional Description Ntbackup
  • Backup and Restore Operations
  • Recovering from Blue Screen Stops
  • Using Emergency Management Services (EMS)
  • Using Safe Mode
  • Restoring Functionality with the Last Known Good Configuration
  • Recovery Console
  • Moving Forward
  • Who Should Read This Book
  • Who This Book Is Not For
  • Conventions
  • Acknowledgments
  • About the Author
  • About the Technical Reviewers
  • Index
  • Index A
  • Index B
  • Index C
  • Index D
  • Index E
  • Index F
  • Index G
  • Index H
  • Index I
  • Index J
  • Index K
  • Index L
  • Index M
  • Index N
  • Index O
  • Index P
  • Index Q
  • Index R
  • Index S
  • Index SYMBOL
  • Index T
  • Index U
  • Index V
  • Index W
  • Index X
  • Index Z
  • Preface
  • Previous Section Next Section

    Installing and Configuring DNS Servers

    If you have existing NT4 or Windows 2000 DNS servers, you can upgrade them to Windows Server 2003 and preserve your existing server configuration and zone files. If you decide to upgrade, start with the primary DNS server, then upgrade the secondary servers.

    Here's a quick checklist to use as a roadmap for your DNS deployment:

    • Lay out your DNS domain namespace so you know which zones you need. DNS names affect nearly every aspect of your system, so spend sufficient time with this step so that everyone agrees on the naming conventions.

    • Decide how you will integrate Windows DNS into your existing DNS infrastructure. If you use WINS, you also need to decide if you will use WINS forwarding.

    • Decide how you will resolve Internet addresses. This can be with root hints by using a forwarder, or a combination of both.

    • Decide how you will provide name services for public zones. You can get DNS services from your ISP, place a DNS server in your DMZ, or open a conduit in your firewall for DNS query traffic.

    • Decide if you need to support name resolution behind the firewall for outside DNS domains. This includes extranets and network connections from subsidiaries, affiliates, or other trusted organizations. You can use conditional forwarding or stub zones to resolve addresses for these connections.

    • Define the locations where you will need DNS servers. Remember that you want to maximize availability and minimize WAN traffic.

    • Decide whether you will use standard DNS primary and secondary servers or Active Directory Integrated zones. If you use Active Directory Integrated zones, you must place domain controllers in strategic locations to support name resolution as well as LDAP and Kerberos lookups.

    • Decide if you will support dynamic resource record updates. If so, consider integrating your zones into Active Directory so you can take advantage of secure updates.

    • Decide how you will configure your DNS servers for special features such as round-robin, netmask prioritization, and name checking.

    After you've made your design assessments, use the step-by-step instructions in this section for configuring your servers.

    Installing the DNS Service

    When you're ready to install the DNS service on Windows Server 2003, follow Procedure 5.7. You'll need the Windows Server 2003 CD-ROM.

    Procedure 5.7 Installing DNS Drivers

    1. From Control Panel, open the Add/Remove Programs applet.

    2. Click Add/Remove Windows Components. The Windows Components Wizard starts with the focus set to the Windows Components window.

    3. Highlight Networking Services and click Details. The Networking Services window opens.

    4. Select Domain Name System (DNS) and click OK to save the change and return to the Windows Components window.

    5. Click Next. The Configuring Components window opens and the drivers begin loading. When the drivers have loaded and the configuration is complete, the wizard displays a successful completion window.

    6. Click Finish to close the window and return to the Add/Remove Programs window.

    7. Close the Add/Remove Programs window.

    At this point, you can begin configuring your zones. There is no need to restart.

    Creating a Forward Lookup Zone

    The first forward lookup zone you create should be for the root of your DNS namespace. In the Company public namespace used in these examples, the first zone would be for the company.com DNS domain. Follow the steps in Procedure 5.8.

    DNS Boot Information

    The DNS service starts automatically at boot time. You can start and stop the service using the DNS console or from the command line using net stop dns and net start dns.

    If the DNS service is configured as a standard primary or secondary, it initializes the zone based on Registry entries located at HKLM | Software| Microsoft| Windows NT | CurrentVersion | DNS Server | Zones. This is a change from Windows 2000, where the zone information was stored as part of the DNS service key.

    Each zone has a separate key with values that define the name of the database file, whether it allows dynamic updates, and whether updates must be from secure clients.

    Procedure 5.8 Creating a Forward Lookup Zone

    1. From the START menu, select START | PROGRAMS | ADMINISTRATIVE TOOLS | DNS. The DNS console opens. The DNS tree shows the local server and two empty branches for forward and reverse lookup zones.

    2. Right-click the Forward Lookup Zone icon and select NEW ZONE from the flyout menu. This starts the New Zone Wizard.

    3. Click Next. The Zone Type window opens (see Figure 5.11). Leave the default selection at Primary Zone. If you want to create a standard primary zone, uncheck the Store The Zone In Active Directory option.

      Figure 5.11. New Zone WizardЧZone Type window showing default selection of Primary Zone.

      graphics/05fig11.jpg

    4. Click Next. The Zone Name window opens. Enter the name of the zone.

    5. Click Next. The Zone File window opens. The zone filename should match the zone name with a .DNS extension. If you have an existing zone file, you can import it at this point with the Use This Existing File option.

    6. Click Next. The Dynamic Update window opens. Select your update option. The Allow Only Secure Dynamic Updates option will only be available for Active Directory Integrated zones.

    7. Click Next. The wizard displays a completion window.

    8. Click Finish to complete the configuration and close the window. The new zone appears as a folder under the Forward Lookup Zones icon in the left pane of the window. When that zone icon is highlighted, the associated resource records are displayed in the right pane (see Figure 5.12).

      Figure 5.12. DNS console showing new forward lookup zone.

      graphics/05fig12.gif

    Creating a Reverse Lookup Zone

    The forward lookup zone handles standard queries such as A record and SRV record requests. The reverse lookup zone will handle those few queries where the client knows the IP address and wants a host name. You can get by without creating reverse lookup zones, but they come in very handy for troubleshooting (and I highly recommend installing them). To create a reverse lookup zone, follow Procedure 5.9.

    Procedure 5.9 Creating a Reverse Lookup Zone

    1. Right-click the Reverse Lookup Zone icon and select NEW ZONE from the flyout menu. This starts the New Zone Wizard.

    2. Click Next. The Zone Type window opens. Leave the default selection at Primary Zone. If you want to create a standard primary zone, uncheck the Store The Zone In Active Directory option.

    3. Click Next. The Reverse Lookup Zone window opens (see Figure 5.13). Under Network ID, enter the network portion of the subnet the zone will service. The examples in this book use the 10.x networks with a 16-bit subnet mask, so the entry shows 10.1 with the last two octets empty. Each unique number in the second octet requires a separate reverse lookup zone.

      Figure 5.13. New Zone WizardЧReverse Lookup Zone window.

      graphics/05fig13.jpg

    4. Click Next. The Zone File window opens. Leave the default setting. The zone filename should match the zone name with a .DNS extension. If you have an existing zone file, you can import it at this point with the Use This Existing File option.

    5. Click Next. The Dynamic Update window opens. Select your update option. The Allow Only Secure Dynamic Updates option will only be available for Active Directory Integrated zones.

    6. Click Next. The wizard displays a completion window.

    7. Click Finish to close the window and return to the DNS console.

    After the reverse lookup zones are in place, create a few test host records to make sure the associated PTR records are created successfully. Then, test the zone from a client by pinging the test records and the DNS server.

    Configuring Hierarchical Zones

    After you have installed your first DNS server and created the first zone, you can configure additional zones to build a hierarchical DNS namespace. For example, you could start with a company.com zone and then configure separate zones for each continent, such as na.company.com and eu.company.com and so forth.

    If you use separate zones, you need to configure the name servers to resolve queries between the zones. Plan your configuration around these two situations:

    • Queries from DNS clients in a child zone for records in its parent zone. This requires configuring the root hints file.

    • Queries from DNS clients in a parent zone for records in a child zone. This requires configuring delegation.

    Configuring Root Hints

    Queries from DNS clients in a child zone for records in its parent zone are resolved by configuring root hints on the DNS server in the child zone to include an authoritative server or servers in the parent zone.

    Start by installing DNS on two servers and creating the zones. The objective of the following steps is to make it possible for a user in the child domain to resolve an address in the parent domain by querying only the DNS server in the child domain. Follow Procedure 5.10.

    Procedure 5.10 Configuring Root Hints

    1. Open the DNS console.

    2. Right-click the DNS server icon and select PROPERTIES from the flyout menu. The Properties window opens.

    3. Select the Root Hints tab.

    4. Click Add. The Create New Record window opens.

    5. Enter the fully qualified DNS name of the root server, with or without the trailing dot, under Server Name.

    6. Enter the IP address of the server under Server IP Addresses and then click Add to put it on the list. If the server has multiple IP addresses, you can add each of them to the list. If you prefer that the queries use one of the addresses preferentially, use the Up and Down buttons to adjust the search list.

    7. Click OK to retain the changes and return to the Properties window. Make sure that the root server is at the top of the list.

    8. Click OK to save the changes and close the window.

    9. Test the configuration by pinging a host in the parent domain from a client in the child domain. The ping may take a while, but eventually it will succeed.

    Configuring Delegation

    The preceding section showed how to get a successful query for a host in a domain higher in the DNS namespace. Getting a successful query for a host lower in the namespace takes a bit more work. Assume, for example, that you are in the company.com DNS domain and you want to ping a server called srv1 in the branch1.company.com DNS domain.

    For ping to succeed, the DNS server in the company.com domain must find an A record for the server. But the company.com DNS server only has a copy of the company.com zone file. It must obtain the resource record from a name server in the branch1.company.com domain. This is called delegation.

    Updating Root Hints

    The root hints that come with Windows Server 2003 reflect the legacy name servers maintained by Network Solutions and not the new TLD servers maintained by Verisign (doing business as Network Solutions). You can update your root hints manually using information obtained from Verisign Global Registry Services, www.verisign-grs.com/dns/dnsfaq.shtml.

    As described in the topic, "Stub Zones," earlier in this chapter, the simplest way to delegate with a Windows Server 2003 running DNS is to configure a stub zone on the DNS server in the parent zone to point at one or more name servers in the child zone. The stub zone replicates the SOA, NS, and glue records from the child zone automatically. This requires zone transfer authorization in the child zone, and if you lack this authorization, you must use standard delegation as described in this section.

    DNS servers, like military brass, always delegate down, not up. Therefore, when configuring delegation in your DNS namespace, start at the root and work your way down as shown in Procedure 5.11.

    Procedure 5.11 Configuring Delegations

    1. Open the DNS console.

    2. Right-click the zone name and select NEW DELEGATION from the flyout menu. This starts the New Delegation Wizard.

    3. Click Next. The Delegated Domain Name window opens.

    4. Enter the flat name of the child domain under Delegated Domain. The fully qualified name is built automatically.

    5. Click Next. The Name Servers window opens.

    6. Click Add. The New Resource Record window opens.

    7. Under Server Name, enter the fully qualified name of an authoritative server for the child zone. See the sidebar, "Lame Delegations," for the reason it is so important to select an authoritative server.

    8. Under IP Address, enter the IP address of the name server in the child domain, and then click Add to put it on the list.

    9. Click OK to retain the changes and return to the Name Servers window. The server appears on the Server Name list.

    10. Click Next. The wizard displays a completion window.

    11. Click Finish to save the changes and close the wizard.

    Lame Delegations

    A common error when configuring delegation is specifying a server that is not authoritative for the specified domain. This results in what is called a lame delegation.

    A lame delegation is a ticking time bomb. The system appears to work just fine until one day when the non-authoritative server returns the wrong record out of its cache. The DNS server in the parent domain forwards the faulty response to the querying client and puts it in its own cache where other clients get it.

    Remember how you felt when you found out your parents weren't infallible? Well, DNS clients who get faulty responses from lame delegations feel the same way. Make sure that you always delegate to an authoritative server.

    The DNS tree in the left pane of the DNS console shows the child domain listed under the parent. The right pane shows an NS record for the child domain name server. Test the delegation by pinging a host in the child domain from a DNS client in the parent domain. The ping should succeed nearly immediately. A packet trace shows the referral to the child domain.

      Previous Section Next Section