DNS StepbyStep
Transcript of DNS StepbyStep
-
8/12/2019 DNS StepbyStep
1/30
DNS Step-by-Step Guide
Microsoft Corporation
Published: October 2005
Authors: Andrea Weiss and Jim Groves
ditors: Justin !all and Carol"n ller
Abstract
#his document can help "ou implement $omain %ame &"stem '$%&( on Microsoft)
Windo*s &erver+ 200, on a small net*or-. $%& is the main *a" that Windo*s
&erver 200, translates computer names to net*or- addresses. An Active $irector")/
based domain controller also can act as a $%& server that reisters the names and
addresses of computers in the domain and then provides the net*or- address of a
member computer *hen 1ueried *ith the computers name.
#his uide e3plains ho* to set up $%& on a simple net*or- consistin of a sinle
domain.
-
8/12/2019 DNS StepbyStep
2/30
4nformation in this document includin 678 and other 4nternet Web site references is
sub9ect to chane *ithout notice. 6nless other*ise noted the e3ample companies
oraniations products domain names e/mail addresses loos people places and
events depicted herein are fictitious and no association *ith an" real compan"
oraniation product domain name e/mail address loo person place or event is
intended or should be inferred. Compl"in *ith all applicable cop"riht la*s is the
responsibilit" of the user. Without limitin the rihts under cop"riht no part of this
document ma" be reproduced stored in or introduced into a retrieval s"stem or
transmitted in an" form or b" an" means 'electronic mechanical photocop"in
recordin or other*ise( or for an" purpose *ithout the e3press *ritten permission of
Microsoft Corporation.
Microsoft ma" have patents patent applications trademar-s cop"rihts or other
intellectual propert" rihts coverin sub9ect matter in this document. 3cept as e3pressl"
provided in an" *ritten license areement from Microsoft the furnishin of this document
does not ive "ou an" license to these patents trademar-s cop"rihts or other
intellectual propert".
; 2005 Microsoft Corporation. All rihts reserved.
Microsoft M&/$O& Windo*s Windo*s %# Windo*s &erver are either reistered
trademar-s or trademar-s of Microsoft Corporation in the 6nited &tates and
-
8/12/2019 DNS StepbyStep
3/30
Contents$%& &tep/b"/&tep Guide................................................................................................... =
Contents............................................................................................................................. ,
$omain %ame &"stem &tep/b"/&tep Guide ..........................................................5
Plannin $%& ........................................................................................................>
6nderstandin the $%& %amespace..............................................................................>
$esinin a $%& %amespace........................................................................................ ?
4nstallin and Confiurin Active $irector" and $%& ...........................................==
Confiurin $%& Client &ettins '$%& &tep/b"/&tep( .........................................=@
Advanced $%& Confiuration '$%& &tep/b"/&tep( .............................................2=
Addin 7esource 7ecords............................................................................................2=
Automaticall" 7emovin Outdated 7esource 7ecords.................................................25
Confiurin a or*arder for 4nternet Access.................................................................2?
#roubleshootin $%& '$%& &tep/b"/&tep( ......................................................... 2?
-
8/12/2019 DNS StepbyStep
4/30
Domain Name System Step-by-StepGuide
$omain %ame &"stem '$%&( is a s"stem for namin computers and net*or- services
that oranies them into a hierarch" of domains. $%& namin is used on #CP
-
8/12/2019 DNS StepbyStep
5/30
Planning DNS
$%& is the primar" method for name resolution in the Microsoft)Windo*s &erver+ 200, &tandard ditionE Windo*s &erver 200, nterprise ditionE
and Windo*s &erver 200, $atacenter dition operatin s"stems 'collectivel" referred to
as FWindo*s &erver 200,F in this uide(. $%& is a re1uirement for deplo"in the Active
$irector") director" service. 4nteratin $%& *ith Active $irector" enables $%& servers
to ta-e advantae of the securit" performance and fault tolerance capabilities of Active
$irector".
#"picall" "ou oranie "our $%& namespace 'the association of domains subdomains
and hosts( in a *a" that supports ho* "ou plan to use Active $irector" to oranie the
computers on "our net*or-. or more information about usin Active $irector" to
oranie "our net*or- see F$esinin the Active $irector" 8oical &tructureF in$esinin and $eplo"in $irector" and &ecurit" &ervices on Microsoft Windo*s
&erver 200, #echCenter 'http:
-
8/12/2019 DNS StepbyStep
6/30
#he $%& namespace beins *ith a loical root domain that is not named partl" because
it is implicit in all $%& names. #he root domain in turn contains a limited number of
subdomains that help oranie the $%& namespace. #hese subdomains are called top/
level domains '#8$s( because the" are the hihest/level or most inclusive part of the
$%& namespace that people use. #he names of these top/level domains are either
functional or eoraphical.
unctional top/level domains suest the purpose of the oraniation that has reistered
a subdomain in the top/level domain. &ome of the most common functional top/level
domain names are:
#he .com top/level domain *hich is usuall" used to reister $%& domain names
that belon to commercial entities such as corporations.
#he .edu top/level domain *hich is most often used b" educational institutions
such as collees and public and private schools.
!
-
8/12/2019 DNS StepbyStep
7/30
#he .ov top/level domain *hich is used b" overnment entities includin
federal state and local overnments.
#he .net top/level domain *hich is often used b" oraniations that provide4nternet services such as 4nternet service providers '4&Ps(.
#he .or top/level domain *hich is t"picall" used for private nonprofit
oraniations.
Georaphical top/level domains indicate the countr" or reion *here the oraniation that
reistered the domain is located. or e3ample an oraniation that *ants to emphasie
that it is located in Canada *ould reister its 4nternet domain name in the .ca top/level
domain *hile an oraniation that *ants to sho* that it is based in rail *ould reister
its 4nternet domain name in the .br top/level domain.
Most oraniations that *ant to have an 4nternet presence such as for a Web site or
sendin and receivin e/mail reister an 4nternet domain name that is a subdomain of a
top/level domain. 6suall" the" choose a subdomain name based on their oraniations
name such as contoso.com or microsoft.com. 7eisterin an 4nternet domain name
reserves the name for the e3clusive use of the oraniation and confiures $%& servers
on the 4nternet to provide the appropriate 4nternet Protocol '4P( address *hen the" are
1ueried for that name. 4n other *ords it creates the e1uivalent of a telephone director"
entr" for the 4nternet domain name. ut instead of providin a telephone number for the
name it provides the 4P address that a computer re1uires to access the computers in the
reistered domain.
#he $%& namespace is not limited to 9ust the publicl" reistered 4nternet domain names.
Oraniations that have net*or-s *ith their o*n $%& servers can create domains fortheir internal use. As the ne3t section e3plains these internal $%& namespaces can be
but are not re1uired to be subdomains of a public 4nternet domain name.
Designing a DNS NamespaceIou can desin an e3ternal namespace that is visible to 4nternet users and computers
and "ou can also desin an internal namespace that is accessible onl" to users and
computers that are *ithin the internal net*or-.
Oraniations that re1uire an 4nternet presence as *ell as an internal namespace must
deplo" both an internal and an e3ternal $%& namespace and manae each namespace
separatel". 4n this case it is recommended that "ou ma-e "our internal domain a
subdomain of "our e3ternal domain. 6sin an internal domain that is a subdomain of an
e3ternal domain:
"
-
8/12/2019 DNS StepbyStep
8/30
7e1uires "ou to reister onl" one name *ith an 4nternet name authorit" even if
"ou later decide to ma-e part of "our internal namespace publicl" accessible.
nsures that all of "our internal domain names are loball" uni1ue.
&implifies administration b" enablin "ou to administer internal and e3ternal
domains separatel".
Allo*s "ou to use a fire*all bet*een the internal and e3ternal domains to secure
"our $%& deplo"ment.
or e3ample an oraniation that has an e3ternal domain name of contoso.com miht
use the internal domain name corp.contoso.com.
Iou can use "our internal domain as a parent for additional child domains that "ou create
to manae divisions *ithin "our compan" in cases *here "ou are deplo"in an Active
$irector" domain for each division. Child domain names are immediatel" subordinate to
the domain name of the parent. or e3ample a child domain for a manufacturin division
that is added to the us.corp.contoso.com namespace miht have the domain name
manu.us.corp.contoso.com.
Creating an Internet DNS Domain Name
An 4nternet $%& domain name is composed of a top/level domain name 'such as
.com .or or .edu( and a uni1ue subdomain name chosen b" the domain o*ner. or
e3ample a compan" named Contoso Corporation *ould probabl" choose contoso.com
as its 4nternet domain name.
When "ou have selected "our 4nternet $%& domain conduct a preliminar" search of the
4nternet to confirm that the $%& domain name that "ou selected is not alread" reistered
to another oraniation. 4f "ou do not find that "our domain name is alread" reistered to
another oraniation contact "our 4nternet service provider '4&P( to confirm that the
domain name is available and to help "ou reister "our domain name. Iour 4&P *ill
probabl" set up a $%& server on its o*n net*or- to host the $%& one for "our domain
name or it miht help "ou set up a $%& server on "our net*or- for this purpose.
Creating Internal DNS Domain Names
or "our internal domains create names relative to "our reistered 4nternet $%& domain
name. or e3ample if "ou have reistered the 4nternet $%& domain name contoso.com
for "our oraniation use a $%& domain name such as corp.contoso.com for the internal
full" 1ualified $%& domain name and use CO7P as the %et4O& name.
#
-
8/12/2019 DNS StepbyStep
9/30
4f "ou are deplo"in $%& in a private net*or- and do not plan to create an e3ternal
namespace "ou should nevertheless consider reisterin the $%& domain name that
"ou create for "our internal domain. 4f "ou do not reister the name and later attempt to
use it on the 4nternet or connect to a net*or- that is connected to the 4nternet "ou miht
find that the name is unavailable.
Creating DNS Computer Names
4t is important to develop a practical $%& computer/namin convention for computers on
"our net*or-. #his enables users to remember the names of computers on public and
private net*or-s easil" and therefore facilitates access to net*or- resources.
6se the follo*in uidelines *hen creatin names for the $%& computers in "our
Windo*s &erver 200, $%& infrastructure:
&elect computer names that are eas" for users to remember.
4dentif" the o*ner of a computer in the computer name. or e3ample 9ohn/doe
indicates that John $oe uses the computer and pubs/server indicates that the
computer is a server that belons to the Publications department.
Alternativel" select names that describe the purpose of the computer. or
e3ample a file server named past/accounts/= indicates that the file server stores
information related to past accounts.
$o not use character case to conve" the o*ner or purpose of a computer. $%& is
not case/sensitive.
Match the Active $irector" domain name to the primar" $%& suffi3 of the
computer name. #he primar" $%& suffi3 is the part of the $%& name that appears
after the host name. or more information see F$esinin the Active $irector"
8oical &tructureF in $esinin and $eplo"in $irector" and &ecurit" &ervices on
Microsoft Windo*s &erver 200, #echCenter 'http:
-
8/12/2019 DNS StepbyStep
10/30
Installing and Con&iguring Acti'e
Directory and DNSWhen "ou create a ne* domain the Active $irector" 4nstallation Wiard installs $%& on
the server b" default. #his ensures that $%& and Active $irector" are confiured properl"
for interation *ith each other.
Important
efore "ou install Active $irector" and $%& on the first domain controller server
in a ne* domain ensure that the 4P address of the server is static meanin it is
not assined b" $"namic !ost Confiuration Protocol '$!CP(. $%& servers
must have static addresses to ensure that the" can be located reliabl".
To install DNS (ith Acti'e Directory in a ne( domain
=. Clic- Start point to Administrati'e tools and then clic- Con&igure )our
Ser'er *i+ard.
2. On the ,anage )our Ser'erpae clic- Add or remo'e a role.
,. On the Con&igure )our Ser'er *i+ardpae clic- Net.
B. Clic- Domain Controller .Acti'e Directory/and then clic- Net.
5. On the *elcome to the Acti'e Directory Installation *i+ardpae clic- Net.
>. On the 0perating System Compatibilitypae read the information and then
clic- Net.
4f this is the first time "ou have installed Active $irector" on a server runnin
Windo*s &erver 200, clic- Compatibility 1elpfor more information.
@. On the Domain Controller Typepae clic- Domain controller &or a ne(
domainand then clic- Net.
$$
-
8/12/2019 DNS StepbyStep
11/30
?. On the Create Ne( Domainpae clic- Domain in a ne( &orestand then clic-
Net.
$2
-
8/12/2019 DNS StepbyStep
12/30
K. On the Ne( Domain Namepae t"pe the full $%& name 'such as
corp.contoso.com( for the ne* domain and then clic- Net.
=0. On the Net3I0S Domain Namepae verif" the %et4O& name 'for e3ampleCO7P( and then clic- Net.
==. On the Database and 4og olderspae t"pe the location in *hich "ou *ant to
install the database and lo folders or clic- 3ro(seto choose a location and then
clic- Net.
$6
-
8/12/2019 DNS StepbyStep
13/30
=2. On the Shared System 7olumepae t"pe the location in *hich "ou *ant to
install the &I&LO8 folder or clic- 3ro(seto choose a location and then clic- Net.
$8
-
8/12/2019 DNS StepbyStep
14/30
=,. On the DNS 9egistration Diagnosticspae clic- Install and con&igure the
DNS ser'er on this computer: and set this computer to use this DNS ser'er as
its pre&erred DNS ser'er and then clic- Net.
$5
-
8/12/2019 DNS StepbyStep
15/30
=B. On the Permissionspae select one of the follo*in:
Permissions compatible (ith pre-*indo(s 2%%% Ser'er operating
systems
Permissions compatible only (ith *indo(s 2%%% or *indo(s
Ser'er 2%%6 operating systems
$
-
8/12/2019 DNS StepbyStep
16/30
=5. On the Directory Ser'ices 9estore ,ode Administrator Pass(ordpae t"pe
a pass*ord that *ill be used to lo on to the server in $irector" &ervices 7estore
Mode confirm the pass*ord and then clic- Net.=>. 7evie* the Summarypae and then clic- Netto bein the installation.
=@. After the Active $irector" installation completes clic- 0;to restart the computer.
Con&iguring DNS Client Settings .DNSStep-by-Step/
Confiure the follo*in settins for each $%& client:
#CP
-
8/12/2019 DNS StepbyStep
17/30
To con&igure DNS client settings
=. At the computer that "ou are confiurin to use $%& clic- Start point to
Control Panel and then clic- Net(or< Connections.
2. 7iht/clic- the net*or- connection that "ou *ant to confiure and then clic-
Properties.
,. On the Generaltab clic- Internet Protocol .TCP=IP/ and then clic-
Properties.
B. 4f "ou *ant to obtain $%& server addresses from a $!CP server clic-
0btain DNS ser'er address automatically.
$"
-
8/12/2019 DNS StepbyStep
18/30
5. 4f "ou *ant to confiure $%& server addresses manuall" clic- Use the
&ollo(ing DNS ser'er addresses and in Pre&erred DNS ser'erand Alternate
DNS ser'er t"pe the 4nternet Protocol '4P( addresses of the preferred $%&
server and alternate $%& server.
>. Clic- 0;to e3it.
Note
4t is not necessar" to restart the computer at this time if "ou intend to
chane the computers name or domain membership in the follo*in
steps.
@. 4n Control Panel double/clic- System.
?. On the Computer Nametab clic- Change.
K. 4n Computer name t"pe the name of the computer 'the host name(.
$#
-
8/12/2019 DNS StepbyStep
19/30
=0. Clic- Domain and then t"pe the name of the domain "ou *ant the computer
to 9oin.
==. 4f Computer Name Changesappears in User Name t"pe the domainname and user name of an account that is allo*ed to 9oin computers to the
domain and in Pass(ord t"pe the pass*ord of the account. &eparate the
domain name and user name *ith a bac-slash 'for e3ample
domainuserNname(.
2%
-
8/12/2019 DNS StepbyStep
20/30
=2. Clic- 0;to close all dialo bo3es.
Ad'anced DNS Con&iguration .DNS Step-by-Step/
4n most cases Active $irector"Dinterated $%& on a small simple Windo*s/basednet*or- re1uires little confiuration be"ond the initial setup. Occasionall" ho*ever "ou
miht need to perform some additional confiuration tas-s such as addin resource
records or confiurin a $%& for*arder to handle unusual situations.
Adding 9esource 9ecords7esource records store information about specific net*or- computers such as their
names 4nternet Protocol '4P( addresses and services that the computers provide. 4n
most cases Windo*s/based computers update their o*n resource records on $%&
servers 'usin $%& d"namic update protocol also -no*n as d"namic $%&( eliminatinthe need for an administrator to manae them. !o*ever if "our net*or- contains non/
Windo*s/based computers or computers that "ou *ant to desinate for handlin e/mail
"ou miht need to add the follo*in resource records to the one on "our $%& server for
these computers:
2$
-
8/12/2019 DNS StepbyStep
21/30
1ost address .A/. Maps a computers $%& domain name to the computers 4P
address.
,ail >changer .,?/. Maps a $%& domain name to the name of a computerthat e3chanes or for*ards e/mail.
Important
When the Active $irector" 4nstallation Wiard installs and confiures $%& on the
ne* domain controller it creates resource records that are necessar" for the
proper operation of the $%& server on the domain controller. $o not remove or
chane these resource records. Chane or remove onl" those resource records
that "ou have added "ourself.
1ost A 9esource 9ecords
#he host A resource records is used to associate the $%& domain name of a computer
'or FhostF( to its 4P address. #he host A resource record is not re1uired for all computers
but it is re1uired for an" computer that shares resources on a net*or- and needs to be
identified b" its $%& domain name.
Windo*s clients and servers use the $"namic !ost Confiuration Protocol
'$!CP( Client service to d"namicall" reister and update their o*n A resource
records in $%& *hen an 4P confiuration chane occurs.
$!CPDenabled client computers runnin earlier versions of Microsoft operatin
s"stems can have their A resource records reistered and updated b" pro3" if the"
obtain their 4P address lease from a 1ualified $!CP server. 'Onl" the Windo*s 2000and Windo*s &erver 200, $!CP &erver service supports this feature.(
Iou can manuall" create an A resource record for a static #CP
-
8/12/2019 DNS StepbyStep
22/30
-
8/12/2019 DNS StepbyStep
23/30
To add a mail echanger ,? resource record to a +one
=. At the $%& server clic- Start point to Administrati'e Tools and then clic-
DNS.
2. 4n the console tree riht/clic- the applicable one and then clic- Ne( ,ail
>changer .,?/.
,. 4n 1ost or child domain t"pe the name of the host or domain of the mail
e3chaner for this domain onl" if it is different from the parent domainE other*ise
leave this field blan-.
B. 4n ully @uali&ied domain name .DN/ o& mail ser'er t"pe the $%&domain name of an e3istin mail server that can function as a mail e3chaner for
the domain.
5. 4n ,ail ser'er priority t"pe a number bet*een 0 and >55,5 that indicates
the priorit" of the mail server amon other mail e3chaners for this domain. #he
28
-
8/12/2019 DNS StepbyStep
24/30
mailer attempts to deliver mail to servers *ith lo*er priorit" numbers before
attemptin to deliver to servers *ith hiher priorit" numbers.
Automatically 9emo'ing 0utdated 9esource9ecords
While the abilit" of $!CP to reister A and P#7 resource records automaticall" *henever
a ne* device is added to the net*or- ma-es life easier for the net*or- administrator it
does have one dra*bac-: 6nless action is ta-en to remove them those resource records
*ill remain in the $%& one database indefinitel". While this is not a problem *ith
relativel" static net*or-s it neativel" affects net*or-s that chane fre1uentl" '*ith the
addition and removal of portable computers for e3ample(. #his accumulation of records
can result in poor performance of both the $%& server and $!CP services as both have
to *or- around these stale 'obsolete( host
-
8/12/2019 DNS StepbyStep
25/30
B. Clic- the Ad'ancedtab select >nable automatic sca'enging o& stale
records and then clic- 0;.
5. On the Actionmenu clic- Set Aging=Sca'enging &or All Bones clic-
Sca'enge stale resource records and then clic- 0;.
2
-
8/12/2019 DNS StepbyStep
26/30
>. 4n the Ser'er Sca'enging=Aging Con&irmationdialo bo3 select Apply
these settings to the eisting Acti'e Directory-enabled +ones and then clic-
0;.
2!
-
8/12/2019 DNS StepbyStep
27/30
Con&iguring a or(arder &or Internet AccessA for*arder is a $%& server on a net*or- that for*ards $%& 1ueries for e3ternal $%&
names to $%& servers outside of that net*or-. " usin a for*arder "ou can manae
ho* names outside of "our net*or- are resolved such as names on the 4nternet. When
"ou desinate a $%& server as a for*arder "ou ma-e that for*arder responsible for
handlin e3ternal traffic. 4f "ou are not usin a fire*all to isolate "our net*or- from the
4nternet "ou should use a for*arder to provide 4nternet access to clients on "our
net*or-.
Important
Connectin "our net*or- directl" to the 4nternet *ithout usin a fire*all to control
e3ternal access to "our net*or- computers can result in serious securit" issues.
Microsoft stronl" recommends that "ou use a fire*all instead of a for*arder to
provide 4nternet connectivit" for "our net*or- clients.
To con&igure a DNS ser'er to use a &or(arder
=. At the $%& server that "ou *ant to confiure to use for*arders clic- Start
point to Administrati'e Tools and then clic- DNS.
2. 4n the console tree clic- the applicable $%& server.
,. On the Actionmenu clic- Properties.
B. On the or(arderstab under DNS domain clic- All other domain names.
5. 6nder Selected domains &or(arder IP address list t"pe the 4nternetProtocol '4P( address of a for*arder supplied b" "our 4nternet service provider
'4&P( and then clic- Add.
>. Clic- 0;to e3it.
Troubleshooting DNS .DNS Step-by-Step/
Most often $%& confiuration problems are e3posed *hen one or more $%& client
computers are unable to resolve host names.
#he first step in troubleshootin $%& problems is to determine the scope of the problem
b" usin the pingcommand on multiple clients to resolve the names of hosts on the
intranet and the 4nternet and to test overall net*or- connectivit". 6se the follo*in
2"
-
8/12/2019 DNS StepbyStep
28/30
commands on several $%& client computers and *ith several different taret computers
and note the results:
ping internal_host_ip_address
ping internal_host_name
ping Internet_host_name
*here internal_host_ip_addressis the 4nternet Protocol '4P( address of a computer that
e3ists in the clients domain internal_host_nameis the $%& domain name of the
computer and Internet_host_nameis the name of a computer that e3ists on the 4nternet.
%ote that it is not important *hether an 4nternet computer responds to the pingre1uest
onl" *hether the specified name can be resolved to an 4P address. #he results of these
tests *ill suest the nature of the problem as listed in the follo*in table.
Ping Command 9esult Possible Cause
Multiple clients cannot resolve an" intranet
or 4nternet names
#his miht indicate that the clients cannot
access the assined $%& server. #his miht
be the result of eneral net*or- problems
particularl" if pingusin 4P addresses fails.
Other*ise if the clients are confiured to
obtain $%& server addresses automaticall"
the $!CP servers on the net*or- miht not
be confiured properl".
Multiple clients cannot resolve intranetnames but can resolve 4nternet names
#his suests that host 'A( resourcerecords or other records 'such as &7L
records( do not e3ist in the $%& one
database. Chec- to ensure that the
appropriate resource records e3ist and that
the $%& server is properl" confiured to
receive automatic updates as appropriate.
4f the taret host names are located in a
particular child one ensure that deleation
of that one is properl" confiured.
2#
-
8/12/2019 DNS StepbyStep
29/30
Ping Command 9esult Possible Cause
Multiple clients cannot resolve 4nternet
names but can resolve intranet names
#he desinated for*arder of the $%&
domain is unavailable or the $%& server is
not properl" confiured to use a for*arder.
or more information about confiurin a
$%& server to use a for*arder see
Advanced $%& Confiuration '$%& &tep/
b"/&tep(in this uide.
One client onl" cannot resolve an" intranet
or 4nternet names
4f the pingcommand usin 4P addresses
fails this indicates that the client computer
cannot connect to the net*or- at all. nsure
that the client computer is ph"sicall"
connected to the net*or- and that thenet*or- adapter for the computer is
functionin properl". 4f the pingcommand
usin 4P addresses succeeds but ping
cannot resolve $%& domain names then
the #CP
-
8/12/2019 DNS StepbyStep
30/30
4f "ou have ruled out all of these potential problems for a particular client and still cannot
resolve $%& names use the follo*in procedure to verif" the $%& client settins.
To 'eri&y DNS client con&iguration in TCP=IP settings
=. 8o on to the $%& client computer *ith the Administrator account.
2. Clic- Start clic- Control Panel and then double/clic- Net(or. 7evie* the $%& server settins and verif" that the" are correct.
4f the client does not have a valid #CP