20411B-ENU-TrainerHandbook
.pdf
•A DNS server that is loading zones with stale resource records might use outdated information to MCT answer client queries, which could cause the client computers to experience name resolution or connectivity problems on the network.
•The accumulation of stale resource records on the DNS server might degrade its performance and USE responsiveness.
•In some cases, the presence of a stale resource record in a zone could prevent another computer or host device from using a DNS domain name.
To solve these problems, the DNS Server service has the following features:
•Time stamping, based on the current date and time that is set at the server computer, for any ONLY resource records that are added dynamically to primary-type zones. Additionally, time stamps are
recorded in standard primary zones where you enable aging and scavenging.
•For resource records that you add manually, you use a time-stamp value of zero to indicate that the aging process does not affect these records and that they can remain without limitation in zone data
unless you otherwise change their time stamp or delete them. .
•Aging of resource records in local data, based on a specified refresh time period, for any eligible
•zones. STUDENT
Only primary type zones that the DNS Server service loads are eligible to participate in this process.
•Scavenging for any resource records that persist beyond the specified refresh period.disabled.
could configure the server to delete records accidentally that you should not delete. If a record is deleted accidentally, not only will users fail to resolve queries for that record, but any user can create the record and take ownership of it, even on zones that you configure for secure dynamic update. This is a significant security risk.
The server uses the contents of each time stamp for specific resource records, as well as other aging
USE
•You must enable scavenging and aging at the DNS server and on the zone. By default, aging and PROHIBITED scavenging of resource records is disabled.
•You must add resource records to zones dynamically or manually modify them for use in aging and
scavenging operations.and
2-24 Configuring and Troubleshooting Domain Name System
To change this default, you can administer these records individually to reset and permit them to use a current (nonzero) time-stamp value. This enables these records to become aged and scavenged.
Demonstration: Managing DNS Records
This demonstration shows how to:
•Configure TTL.
•Enable and configure scavenging and aging.
Demonstration Steps
Configure TTL
1.Switch to LON-DC1, and then open the Adatum.com zone properties.
2.On the Start of Authority tab, configure the Minimum (default) TTL value to be 2 hours.
Enable and configure scavenging and aging
1.Right-click LON-DC1, and then select the Set Aging/Scavenging for All Zones option to configure aging and scavenging options.
2.Enable Scavenge stale resource records, and then use the default values.
Demonstration: Testing the DNS Server Configuration
Issues can occur when you do not configure the DNS server, and its zones and resource records, properly. When resource records are causing issues, it can sometimes be more difficult to identify the issue because configuration problems are not always obvious.
The following table lists possible configuration issues that can cause DNS problems.
Issue |
Result |
|
|
Missing records |
Records for a host are not in the DNS server. They might have been scavenged |
|
prematurely. This can result in workstations not being able to connect with |
|
each other. |
Incomplete records |
Records that are missing information required to locate the resource they |
|
represent can cause clients requesting the resource to use invalid information. |
|
For example, a service record that does not contain a needed port address is an |
|
example of an incomplete record. |
Incorrectly |
Records that are pointing to an invalid IP address or have invalid information in |
configured records |
their configuration will cause problems when DNS clients try to find resources. |
|
|
The tools used to troubleshoot these and other configuration issues are:
•Nslookup. Use this tool to query DNS information. The tool is flexible, and it can provide valuable information about DNS server status. You also can use it to look up resource records and validate their configuration. Additionally, you can test zone transfers, security options, and MX record resolution.
Note: You can use the Windows PowerShell cmdlet Resolve-DnsName to perform similar functions to Nslookup when troubleshooting DNS.
PROHIBITED USE STUDENT .ONLY USE MCT
Administering Windows Server® 2012 2-25
• Windows PowerShell. You can use Windows PowerShell cmdlets to configure and troubleshoot various
DNS aspects. |
MCT |
|
|
• Dnscmd. Manage the DNS Server service with this command-line interface. This utility is useful in |
|
scripting batch files to help automate routine DNS management tasks or to perform simple |
|
unattended setup and configuration of new DNS servers on your network. |
|
• IPconfig. Use this command to view and modify IP configuration details that the computer uses. This |
||
|
utility includes additional command-line options that you can use to troubleshoot and support DNS |
|
|
clients. You can view the client local DNS cache by using the command ipconfig /displaydns, and |
USE |
|
ONLY |
|
|
you can clear the local cache using ipconfig /flushdns. |
|
|
Note: You can also use the following Windows PowerShell cmdlets: |
|
|
||
|
|
|
o clear-DnsClientCache to delete the DNS resolver cache
oget-DnsClientCache to view the resolver cache
•Monitoring tab on DNS server. In the DNS server Monitoring tab, you can configure a test that allows
the DNS server to determine whether it can resolve simple local queries and perform a recursive STUDENT query to ensure that the server can communicate with upstream servers. You also can schedule these
tests for regular intervals.
These are basic tests, but they provide a good place to start troubleshooting the DNS service. Possible causes for a test to fail include:
oThe DNS Server service has failed.
1.Open a command prompt, and then run the following command:
nslookup –d2 LON-svr1.Adatum.com
2.Review the information provided by nslookup.
Monitoring DNS by Using the DNS Event Log
The DNS server has its own category in the event log. As with any event log in Windows® Event Viewer, you should review the event log periodically.
Common DNS Events
The following table describes common DNS events.
PROHIBITED USE
2-26 Configuring and Troubleshooting Domain Name System
|
Event |
|
Description |
|
ID |
|
|
|
|
|
2The DNS server has started. This message generally appears at startup when either the server computer or the DNS Server service is started.
3The DNS server has shut down. This message generally appears when either the server computer is shut down or the DNS Server service is stopped manually.
408The DNS server could not open socket for address [IPaddress]. Verify that this is a valid IP address for the server computer.
To correct the problem, you can do the following:
1.If the specified IP address is not valid, remove it from the list of restricted interfaces for the server and restart the server.
2.If the specified IP address is no longer valid and was the only address enabled for the DNS server to use, the server might not have started as a result of this configuration error. To correct this problem, delete the following value from the registry and restart the DNS server:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters \ListenAddress
3.If the IP address for the server computer is valid, verify that no other application that would attempt to use the same DNS server port (such as another DNS server application) is running. By default, DNS uses TCP port 53.
413• The DNS server sends requests to other DNS servers on a port other than its default port (TCP port 53).
•This DNS server is multihomed and has been configured to restrict DNS Server service to only some of its configured IP addresses. For this reason, there is no assurance that DNS queries that this server makes to other remote DNS servers will be sent by using one of the IP addresses that was enabled for the DNS server.
•This might prevent query answer responses that these servers return from being received on the DNS port that the server is configured to use. To avoid this problem, the DNS server sends queries to other DNS servers using an arbitrary non-DNS port, and the response is received regardless of the IP address used.
•If you want to limit the DNS server to using only its configured DNS port for sending queries to other DNS servers, use the DNS console to perform one of the following changes in server properties configuration on the Interfaces tab:
o Select All IP addresses to enable the DNS server to listen on all configured server IP addresses.
o Select Only the following IP addresses to limit the IP address list to a single server IP address.
414The server computer currently has no primary DNS suffix configured. Its DNS name currently is a single label host name. For example, its configured name is host rather than host.example.microsoft.com or another FQDN.
Although the DNS server has only a single label name, default resource records created for its configured zones use only this single label name when mapping the host name for this DNS server. This can lead to incorrect and failed referrals when clients and other DNS servers use these records to locate this server by name.
In general, you should reconfigure the DNS server with a full DNS computer name that is appropriate for its domain or workgroup use on your network.
PROHIBITED USE STUDENT .ONLY USE MCT
|
|
|
|
Administering Windows Server® 2012 |
MCT |
|
|
|
|
|
2-27 |
|
|
|
|
|
|
|
|
|
|
|
Event |
|
Description |
|
|
|
|
ID |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
708The DNS server did not detect any zones of either primary or secondary type. It will run as a caching-only server, but will not be authoritative for any zones. USEThis event should appear only if you configure the DNS server to operate as a root server.
6527 |
Zone [zonename] expired before it could obtain a successful zone transfer or update from a |
|||
|
master server that is acting as its source for the zone. The zone has been shut down. |
|
|
|
|
This event ID might appear when you configure the DNS server to host a secondary copy of |
|||
|
the zone from another DNS server that is acting as its source or master server. Verify that |
ONLY |
||
|
this server has network connectivity to its configured master server. |
|||
|
If the problem continues, consider one or more of the following options: |
|||
|
1. Delete the zone and recreate it, specifying either a different master server, or an |
|||
|
. |
|||
|
updated and corrected IP address for the same master server. |
|||
|
|
|
||
|
2. If zone expiration continues, consider adjusting the expiration interval. |
|
|
|
|
|
|
||
Monitoring DNS by Using Debug Logging |
|
|
||
Sometimes it might be necessary to get more |
|
|
|
|
|
STUDENT |
|||
details about a DNS problem than what the Event |
||||
Viewer provides. In this instance, you can use |
||||
debug logging to provide additional information. |
||||
The following DNS debug logging options are |
||||
available: |
|
|
||
|
|
USE |
||
Direction of packets. This option has the |
||||
following settings: |
||||
|
|
|
||
oSend. The DNS server log file logs packets that the DNS server sends.
oReceive. The log file logs packets that the DNS server receives.
oStandard query. Specifies that packets containing standard queries, according to Request for Comments (RFC) 1034, are logged in the DNS server log file.
o |
PROHIBITED |
Updates. Specifies that packets containing dynamic updates, according to RFC 2136, are logged |
in the DNS server log file.
o Notifies. Specifies that packets containing notifications, according to RFC 1996, are logged in the DNS server log file.
o UDP. Specifies that packets sent and received over User Datagram Protocol (UDP) are logged in the DNS server log file.
o
2-28 Configuring and Troubleshooting Domain Name System
• Type of packet. This option has the following settings: |
MCT |
|
o Request. Specifies that request packets are logged in the DNS server log file. A request packet is |
||
characterized by a Query/Response (QR) bit set to zero in the DNS message header. |
|
|
A QR bit is a one-bit field that specifies whether this message is a query (0) or a response. |
|
|
o Response. Specifies that response packets are logged in the DNS server log file. A response packet |
||
is characterized by a QR bit set to 1 in the DNS message header. |
USE |
|
• Enable filtering based on IP address. This option provides additional filtering of packets that are |
||
.ONLY |
||
logged in the DNS server log file. This option allows logging of packets that are sent from specific IP |
||
addresses to a DNS server or from a DNS server to specific IP addresses. |
||
• Log file maximum size limit. This option allows you to set the maximum file size for the DNS server |
||
log file. When the DNS server log file reaches its specified maximum size, the DNS server overwrites |
||
the oldest packet information with new information. |
||
If you do not specify a maximum log-file size, the DNS server log file can consume a large amount of |
||
hard-disk space. |
||
PROHIBITEDUSESTUDENT |
||
By default, all debug logging options are disabled. When you enable them selectively, the DNS Server |
||
service can perform additional trace-level logging of selected types of events or messages for general |
||
troubleshooting and server debugging. |
||
|
||
Debug logging can be resource intensive, affecting overall server performance and consuming disk space. Therefore, you should use it only on a temporary basis, when you need more detailed server-performance information.
Note: Dns.log contains debug logging activity. By default, it is located in the %systemroot%\System32\Dns folder.
Administering Windows Server® 2012 2-29
Lab: Configuring and Troubleshooting DNS |
MCT |
|
Scenario |
||
|
A. Datum is a global engineering and manufacturing company with its head office in London, UK. An IT office and a data center are located in London to support the head office and other locations. A. Datum has recently deployed a Windows Server 2012 server and client infrastructure.
You have been asked to add several new resource records to the DNS service installed on LON-DC1. |
USE |
|
Records include a new MX record for Exchange Server 2010 and a SRV record for a Microsoft Lync® |
||
|
||
deployment that is occurring. |
|
A. Datum is working with a partner organization, Contoso, Ltd. You have been asked to configure internalONLY name resolution between the two organizations. A small branch office has reported that name resolution
performance is poor. The branch office contains a Windows Server 2012 server that performs several roles. However, there is no plan to implement an additional domain controller. You have been asked to install the DNS server role at the branch office and create a secondary zone of Adatum.com. To maintain security, you have been instructed to configure the branch office server to be on the Notify list for Adatum.com zone transfers. You also should update all branch office clients to use the new name server
.
in the branch office. |
STUDENT |
|
You should configure the new DNS server role to perform standard aging and scavenging, as necessary and as specified by corporate policy. After implementing the new server, you need to test and verify the configuration by using standard DNS troubleshooting tools.
•Configure DNS resource records.
•Configure DNS conditional forwarding.
•Install and configure DNS zones.
•Troubleshoot DNS.
USE
1.On the host computer, click Start, point to Administrative Tools, and then click Hyper-V ManagerPROHIBITED.
2.In Hyper-V® Manager, click 20411B-LON-DC1, and in the Actions pane, click Start.
3.In the Actions pane, click Connect. Wait until the virtual machine starts.Virtual Machines 20411B-LON-DC1
2-30 Configuring and Troubleshooting Domain Name System
4.Sign in using the following credentials: o User name: Administrator
o Password: Pa$$w0rd o Domain: Adatum
5.Repeat steps 2 through 4 for 20411B-LON-SVR1 and 20411B-LON-CL1.
Exercise 1: Configuring DNS Resource Records
Scenario
You have been asked to add several new resource records to the DNS service installed on LON-DC1. Records include a new MX record for Exchange Server 2010, and a SRV record required for a Lync deployment that is taking place currently. You have also been asked to configure a reverse lookup zone for the domain.
The main tasks for this exercise are as follows:
1.Add the required MX record.
2.Add the required Lync server records.
3.Create the reverse lookup zone.
Task 1: Add the required MX record
1.Switch to LON-DC1, and sign in as Adatum\Administrator with the password Pa$$w0rd.
2.Open the DNS Manager console.
3.Create a new host record with the following properties: o Zone: Adatum.com
o Name: Mail1
o IP address: 172.16.0.250
4.In the Adatum.com zone, add a new record with the following information: o Type: New Mail Exchanger (MX)
o Fully qualified domain name (FQDN) of mail server: Mail1.Adatum.com.
Task 2: Add the required Lync server records
1.Create a new host record with the following properties: o Zone: Adatum.com
o Name: Lync-svr1
o IP address: 172.16.0.251
2.In the Adatum.com zone, add a new record: o Type: Service Location (SRV)
o Service: _sipinternaltls o Protocol: _tcp
o Port Number: 5061
o Host offering this service: Lync-svr1.adatum.com.
PROHIBITED USE STUDENT .ONLY USE MCT
|
|
Administering Windows Server® 2012 |
MCT |
|
|
|
2-31 |
|
|
|
|
Task 3: Create the reverse lookup zone |
|
|
|
|
• Create a new reverse lookup zone with the following properties: |
|
|
|
|
o Zone Type: Primary zone |
USE |
|
|
|
o Active Directory Zone Replication Scope: Default |
||
|
|
o Reverse Lookup Zone Name: IPv4 Reverse Lookup Zone |
||
|
|
o Reverse Lookup Zone Name: 172.16.0 |
||
|
|
o Dynamic Update: Default |
.ONLY |
|
|
|
|
||
|
|
|
||
Results: After this exercise, you should have configured the required messaging service records and the reverse lookup zone successfully.
Exercise 2: Configuring DNS Conditional Forwarding
Scenario
•From the Conditional Forwarders node, configure conditional forwarding for Contoso.com: STUDENT
a.In the New Conditional Forwarder dialog box, in the DNS Domain box, type contoso.com.
b.Click in the <Click here to add an IP Address or DNS Name> box. Type 131.107.1.2, and then press Enter. Validation will fail since the server cannot be contacted.
c.Enable Store this conditional forwarder in Active Directory, and replicate it as follows.
Results: After this exercise, you should have successfully configured conditional forwarding. |
USE |
Exercise 3: Installing and Configuring DNS Zones |
Scenario
A small branch office has reported that name resolution performance is poor. The branch office contains a Windows Server 2012 Server that performs several roles. However, there is no plan to implement an
additional domain controller. You have been asked to install the DNS server role at the branch office, and then create a secondary zone of Adatum.com. To maintain security, you also have been instructed to configure the branch office server to be on the Notify list for Adatum.com zone transfers. You also should update all branch office clients to use the new name server in the branch office, and then configure the new DNS server role to perform standard aging and scavenging, as needed and specified by corporate policy.
PROHIBITED
1.Install the DNS server role on LON-SVR1.
2.Create the required secondary zones on LON-SVR1.
3.Enable and configure zone transfers.
2-32 Configuring and Troubleshooting Domain Name System
4.Configure TTL, aging, and scavenging.
5.Configure clients to use the new name server.
Task 1: Install the DNS server role on LON-SVR1
1. Switch to LON-SVR1, and sign in as Adatum\Administrator with the password Pa$$w0rd. 2. Use Server Manager to install the DNS Server role.
Task 2: Create the required secondary zones on LON-SVR1
1.Open a command prompt.
2.Type the following command to create the required secondary zone:
Dnscmd.exe /zoneadd Adatum.com /secondary 172.16.0.10
3.Open DNS Manager, and then verify the presence of the new secondary forward lookup zone
Adatum.com.
Task 3: Enable and configure zone transfers
1.Switch to LON-DC1.
2.Open a command prompt, and then run the following command to configure zone transfers for the Adatum.com zone:
Dnscmd.exe /zoneresetsecondaries Adatum.com /notifylist 172.16.0.21
3.In DNS Manager, verify the changes to the Zone Transfers settings:
a.In the navigation pane, click Adatum.com, and then on the toolbar, click Refresh.
b.Right-click Adatum.com, and then click Properties.
c.In the Adatum.com Properties dialog box, click the Zone Transfers tab.
d.Click Notify, and verify that the server 172.16.0.21 is listed. Click Cancel.
e.Close the Adatum.com Properties dialog box.
Task 4: Configure TTL, aging, and scavenging
1. On LON-DC1, open the Adatum.com zone properties.
2. On the Start of Authority tab, configure the Minimum (default) TTL value to be 2 hours.
3. Right-click LON-DC1, and then select the Set Aging/Scavenging for All Zones option to configure aging and scavenging options.
4. Enable Scavenge stale resource records, and then use the default values.
Task 5: Configure clients to use the new name server
1.Sign in to the LON-CL1 virtual machine as Adatum\Administrator with the password Pa$$w0rd.
2.Use Network and Sharing Center to view the properties of Local Area Connection.
3.Reconfigure Internet Protocol Version 4 (TCP/IPv4) as follows: o Modify the Preferred DNS server: 172.16.0.21.
Results: After this exercise, you should have successfully installed and configured DNS on LON-SVR1.
PROHIBITED USE STUDENT .ONLY USE MCT