Chapter 11 Configuring Windows DNS Server This chapter discusses installation and configure Windows 2000 DNS servers. Some discussions are about when and why should be discussed or not using different features, but the focus is, gradually understand the D n s server under the premise of the design and plan of the D n S server. This chapter includes: • Preparatory knowledge. Provide a short tip to the preparation phase, which will make the installation D n S service more directly. • Install the Windows DNS server. This section describes the steps to install D N s on Windows 2000. • Configure the D n S server. Describes the properties of the server • Domain, subdomains, and manually create resource records. Simply introduce how to use local servers. • Active directory integration. This section describes the settings and influences of using the active directory. • Server type. Describes how to configure contact with other servers. • Clean the domain area. Simply discuss the cleanup problem. • Support features. Point out some methods to help manage and understand the operation of the server. This chapter is based on the information provided in previous sections and provides further discussion. D N s is currently the most popular namespace management server. Windows 2000 places D N s into a more important location, D N s is more important in Windows 2000 in any of the previous Wi N D O W S versions. Initially, one of the main reasons for using D N S is just to make a user or an administrator identify his system alone. Starting with D n s is because of the old method (a separate H o S T-T X T file) is too big, and finding a machine name is also more difficult, the efficiency is lower. Before D N S, H O S T. T x T file method has a non-hierarchical name space, so a specific name can only have a host, so everyone will use a new D n S name method. Assuming that there are 3 0 unnamed machines on several different subnets, you will soon understand why the meaning of the name service is so significant. Just remember 3 0 0 phone numbers without any phone book. Today, many services are completely hopeful and there is really a name, so there is a need to have a namespace management tool on logically. Assuming in a distributed security, 3,0 0 complex client systems in a client / server environment, each is locating and accessing resources. Assume that the resource is sometimes not available, and the existence of them is not available, and it will be canceled when it is not available. Here's how to introduce the center D N S how to use the new Wi N D O W S structure. 11.1 Prepare for knowledge, you should have a very clear understanding of your network and the design goal of the network, and you should have your own activity directory structure. It is logically determined by the namespace boundary, which is physically mated by the location of the server and the domain area area on those servers. Configuring the Microsoft D n S server is simple, installing so simple that you may doubt its reliability. But it is really not a deceptive, if you can't design or install it, you must reload. If you are lucky, you can install it for the second time, otherwise you have to fix the mistake. You should not only know your network and goals, but also know that connectivity and the impact of you. There are many reasons, but some are caused by using firewalls, special bridges, and / or routing networks, remote node connectivity, customer load, and access modes. Now you need to understand whether you use the activity directory if you use the active directory, how to configure them. The readers facing this chapter are those ready. There have been people who have clearly planned. This chapter describes how to establish a Windows 2000 DNS in an unrestricted network access, regardless of the internal node of all connected or only connecting parts regardless of I N T E R N e t. The problems that should be considered when planning and design, and the namespaces have been discussed in Chapter 7, Chapter 9, and Chapter 1. The biggest difficulty you have to encounter or have been in terms of license, how to design your own domain, as well as the placement of the server and the domain area.
Here, you must fully understand what your server and customer should be placed in the network, not only roughly thinking. Let's start with the installation D N S. 11.2 Installing the Windows DNS Server If things in Windows 2000 have become unconscious experience, there are only different types of network services. Installation is so simple, so that you will incorrectly think that it is as simple as running these services. Despite it is not difficult, running installations also requires a good understanding of installs, or requires a good installation. Premise Similar to most of the service software installed, you need to install the Windows 2000 server and configure the T C P / I P protocol. If this server has not used the specified I P address, it should be enabled immediately. The host name should be stable. After the host name is broadcast to the user, it is very troublesome to change the host name or I p address, and it is also difficult to log in with a user who has administrative privileges. In addition, there is no longer need to consider too much. The software itself is small and the appropriate server has been selected. The selected server preferably has enough memory because D N S will want to use your R A m to cache its database. This is certainly associated with the domain zone size, just like the storage space required on the standby partition; or if the active directory is stored, N T D s. D i t stores. 11.2.1 Installation Steps As mentioned earlier, the installation process of the D N S server is very similar to the installation process of other network services, and the actual difficulties are installation. Figure 11 - 1 shows the Network Component Configuration dialog, there is a simple check box to control D N S's An 114 second part using Windows 2000 DNS server
Figure 11-1 Selecting a DNS in the Network Component dialog box, you can use the Server Configuration Wizard to configure your server, you can also use the following steps: DNS Server Services for any Run DNS Server Services The machine must have a specified IP address, you should choose the machine name and address, so try not to change. 1) Turn on the control panel. 2) Start the "Add / Remove Programs" window. 3) Click the "Add / Remove Windows Components" icon, start "Windows Component Wi Z A R D (Windows Component Wizard)". 4) Select "Networking Services". 5) Click the "DET A I L S (Detailed) button to pop up the" Networking Services "list. 6) Scroll down, select the check box next to "Domain Name System (Domain Service System)". 7) Here, use "N e x T (Next) and / or" F I N I S H (Finished) "button, end the execution of the window component wizard, and the specific selection depends on whether other options are also selected in the wizard. Because there are many features in Windows 2000, you can manipulate the interface in several ways. In this case, you can use the following faster ways to replace the previous steps 1 to 3: 1) Use the "MY NetWork Place" menu (click Right button), and select "P Roperties, this opens a "e xplorer" window, labeled "Network and Dial-Upc OMATION". 2) In the main menu, open the drop-down menu of "A D V a N C E D (Advanced)" and select "OPTIONAL NetworkingC O M P O N e n T s (Select Network Components)". After installed D n s, you can start. If you have installed a server that is only used for cache, your work is almost complete. What happened just now? Of course, the D n S server has been installed and should be running now. But there are still many other things, add a new option in the "Start" menu, and register in the shortcuts in the Microsoft Management Console, you have one in your current% Wi NDIR% / System 3 2 / DNS. Subcastle structure, this is the default file storage location of the DNS server. Also, the current registry is related to the information of the D N S server, stored in HKLM / System / Current Control SetServices / D N s. Finally, some new counters are loaded into the system monitor, and there may be many other adjustments to your system after the screen.
11.2.2 DNS Server Management Console First, the main tool that needs to be accessed is to find it in the D N S Server Management Console, which can be found in the "A D m i N I S R A T I v Eto L - F O L D R (Management Tool Folder)" in the S t a R t menu. As long as the D N S is selected, it can be started from "R u n" or using the command line "D n s m g m t. M s c". Although the D N S C M d for script management cannot be ignored, this is a basic tool for most D N s management (see Chapter 1 2 and Chapter 1 3). A lot of D N S servers can be managed in a management console. These servers can be a local, others are remote, or all are remote. If you install Wi N D O W S2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0. You can also find A D m i n PA K. M s i on the "% W i N D I R% / S Y S TE E M 3 2" installed in Windows 2000 Server Edition C D, and then install it on the management machine. Chapter 11 Configuring Windows DNS Server 115
To facilitate management, you need to register with the D n S server. First, click the top-level D n S node, then you can use the context menu of the node or you can use the "A C To Computer" menu, and select "Connect To Computer". You may find that there is a little unstable at the beginning of the management console. Note that the action of the machine is very sensitive to the focus of the tool. To click on a node first, make it extends on the right, then you can get the corresponding menu of the new focus. Open the D n S management console and select the "VI E W" menu. In the "VI E W" menu, if you want to adjust the C U S O M (Customized) option, first click "A D V a N C E D" to enable the display extension menu. Using this "A D V a N C E DVI E W" mode, you can also check the cache record in the latest visible node "Cached Lookups". The two more popular access to the DNS management interface is to use the custom console and computer management console. The first method must create itself. In order to access the second method, you can use the "My Computer" context menu and select "M ", you can also use" run "to activate C OMGMT. MSC. When the console is open, you can find DNS in the "SERVICE SAND Applications" node, and the management console can be easily collected "E VENT" access log and related service, such as put DHCP, Wins, And DNS is collected in a separate interface. Before using our own, you should be familiar with the management interface. We will look at D N s characteristics, but you should first pay attention to several conversions and commands. Look at Figure 11 - 2, this figure shows the context menu of the server node. Figure 11-2 D N S Server Menu of a Server Node The All TA S K S (All Tasks "option has been expanded, the displayed server function has" S t o p "," S T a R T "," P A U S E "," R e S U m E ". In the primary list, the "Clear Cache" option clears the Cache of the D N s cache parser. Since the Wi N D O W S2000 DNS server implements N c a c h e specification, more refresh caches may be needed, especially in the pre-configured test environment. The "Update Server Data Files" option in this menu is permanently stored configuration and domain zone data to ensure that the memory version of the data is consistent with the storage version. It should be noted that two options related to the cleaning, "S e taging / scavenging for all zones" and "Scavenge Resource Records" indicate that as long as it is possible, the console supports dynamic D n s. The "Configure the Server" option leads a wizard (discussed later). After we introduce the server configuration option, you will first introduce the topic about the domain area creation in the "New Zone" option. 116 Part II WINDOWS 2000 DNS Server
11.3 DNS Server Configuration Before further discussing, first familiar with server-level control of Windows 2000 DNS service, Figure 11 - 3 shows the DIS server's properties dialog box, selected "F O R W A R D E R S (Forwarder) tab. You can open the D N S Server Properties dialog box: 1) Open the D n S server management interface. 2) Click the selected server in the server list of the top D N S node. 3) Click the "A C T I O N" menu or the context of the selected server (light and click the right button). 4) Select "P R O P E R T I E E S". Figure 11-3 The forwarder tab in the Windows 2000 DNS Server Properties dialog, we need to take a slight look at this option and the settings here. This is the server-level setting, meaning that they affect all servers, domain zone levels, and resource record-level properties are discussed later. 11.3.1 DNS Server Properties: Interface If you click the Interface tab, you will see that you can control the network interface, and the D N S server receives and responds to requests through these interfaces. You can choose all interfaces or select a list of manually configured I P addresses. Because this is the configuration of the server, that is, in the default, the D N S server allows access to all domains on all interfaces. The change here will take effect after shutdown and restart the D n S server. Refer to "All TA S K S" in the server context menu. 11.3.2 DNS Server Properties: The forwarder clicks the forwarder tab, you can use the transponder (see Figure 11 - 3). It can be recalled that a transponder is a D n S server, the front (you are in management) D N S server will send it from the query request received from the user parser to this transponder. This front server first checks if it can answer this query, if it cannot be forwarded. There is a very easy ignore that uses a transponder: Forwarding all queries that cannot give a complete answer. Configure Windows DNS Server 117 when the repeater Chapter 11
As the bridge from the interior to the public D N s name space, the forwarded machine has the right to block the forwarding of the query to the internal name to the external D N S server. Use the "Enable Forwarders" checkbox to configure the forwarder, and then you can construct a list of D N S servers by repeatedly enter the I P address and click "A D". Note that you can rearrange the order in which the listed repeater is rearranged to obtain the best performance, and placed the most common D n S server on top. The D n S server sends a query request to the machine in the list. Option "Forward Ti M E - O U T (S E C O N D S)" indicates that the D n S server wait for more than a long time to use other ways to meet the user's query request. After enabling the repeater, there is a "Do Not Use Recursion" option at the bottom of the DO NOT USE Recursion. This option cannot be selected at the same time when the forwarding timeout is. You need to explain this option, if you select "Do Not Use Recursion", the D n S server is from the repeater. The D n S server is not allowed to actively perform a recursive query, but is limited to the service of the forwarder. Some people may think that this option is a bit error, if the root server starts an iterative query under the root prompt? Perhaps this should be "Do Not Initiate Resolution", "Do Notuse Recursion" makes the D n S server only from the specified repeater. 11.3.3 DNS Server Properties: Advanced Options Figure 11-4 shows the Advanced Properties tab of the D N S server, although we don't want to spend time, there are still many need to introduce. Figure 11-4 "A DVANCED" tab in the Windows 2000 DNS Server Properties dialog box If you compare the Figure 11 - 3 and Figure 11 - 4, you will find more "Security" " Tab. Figure 11 - 3 shows a member server; Figure 11 - 4 shows the D N S server on a domain controller, which uses the active directory storage area data. 1. Name Check the Name Check the Downlink Block Control on the A D V a N C E D tab to control the algorithm of D n s name legality. Standard R f C (a N S i) requires the name to fully comply with R f C, default is "M u L T I B Y T E (Multiode)" (U T F - 8), this 118 second part uses Windows 2000 DNS servers
It is the development option supported by the International Organization (see Appendix B). The other two options Non-standard R f C (a n s i) and full name are more loose name checks, and the difference is that in the last check and the previous query, its name is as long as it is composed of A n s i's character. In order to achieve interoperability with the world's range D N S, standard R f C (A N S I) should be used. 2. Configuration and domain area file storage Perhaps the first thing you need to explain is how the server is loaded with the domain file when starting. There are three options: load from file, load from registry, or load from active directories and registry. This is equipped with the integration of D N s and the active directory. It has a lot, but it is just a simple switch. Just like the exact comment made by the book appraisers, this is "Simple modification brings a lot of results." Because Chapter 7 is used to comment on the significance of these results, this discussion is limited to the configuration of the D n S server. When loading from the file is loaded, the boot file stored at% WINDIR% / SYSTEM 32 / DNS is stored in the domain area to be loaded. Changing the storage location is impossible; the use of the directory instruction is ignored in the startup file, and the full path to the domain area file is not satisfactory. Here, the registry keyword information used to reposition the stored document is also invisible. When loading from the registration table, the loaded domain area is specified in the registry key value. However, if the domain name is not modified in the registry key value, the domain area data is still in the domain area file as the selection is loaded from the file. Only use the active directory storage to stop the use of these domains files. When converted from a file to the registry, the startup file will be copied to a subdirectory (. / B A C K U P) that needs to be created. When returning to file storage, a new startup file will be created from the registry information. When using file storage, boot configuration information in the registry and the boot file remain synchronized. When loading from the active directory and registry, the startup configuration information is stored in the registry, and the domain area data is stored in the active directory. Once converted into such settings, the domain zone data is transmitted to the memory as an active directory object and can be read accessed using the L D a P tool, which includes the "D s a. M s c" of the user's and active directory console. Since this conversion has occurred, the startup file is moved again. / B A c k u p, and leave a B o O T. T x T file tells you that this change has occurred. Table 11 - 1 summarizes the storage locations used under different settings. Table 11-1 DNS Configuration and Data Storage Options Configuration Domain Data from File Text File and Registration Text File from Registry Registry Text File Active Directory Registry Activity Directory Once you speak file, it is best not to ignore the use of "Update Server Data file (Update Server Data File) "option. Before editing the boot or domain zone file, this option makes the D N S server all changes in the cache into the hard disk configuration, and Figure 11 - 2 shows this option. 3. Do not allow the "Disable Recursion" option to confuse the "Disable Recursion" option to set similarly in the F O R W A R DE RO tab, which controls the type of query to accept. After enabling that is not allowed, this D n S server is like a root server, only receives iterative queries, and the Windows 2000 DNS server is configured to accept recursive queries by default. Chapter 11 Configuring Windows DNS Server 119
4. Binding Auxiliary Server This option does not affect the execution of the domain zone transmission between the two Windows 2000 DNS servers. If there is a domain transmission to the BIND server or the server that can't find it, it will force usage to use a low efficiency but very complete Domain area transfer. This option is in the NT 4 DNS server. If there is a transfer of B i n D versions earlier than 4. 9. 4, make sure that the binding auxiliary server is implemented so that the server does not have to send a lot of resources records in the transfer message. 5. If the domain data error will load failed this is a self-definition option, if the domain area file contains an error data, it will result in the loading failure when this option is enabled. When not enabled, the default state, the D n S server only outputs an error message, ignores some data to continue to load domain. Before you start editing, in case of the same error in manual editing, remember the settings for this option will prove that this setting is very useful. When it is mentioned, it should be noted that as shown in Figure 11 - 5, the editing domain and data files do not always have good results, remember to update the file first and pay attention to whether dynamic updates are implemented. 6. Enable loop This option allows the D N S server to circulate between multiple A records in a hostname. In the case of load balancing, what technology is not used, but the load allocation here is a variety, and the DNS server lists the tracked IP address in response to the last query, and makes IP in the process of continuous answers The list is rotated. 7. Enable network mask Sort this is a feature of the Windows 2000 DNS server that allows the server to set the priority of the I P address when returning query results. When a host has multiple A records, if the D n S server determines that the records can match the local subnet of the query customer, the record is preferred when answering. This option defaults to yes. 8. Protecting Cache Unbound This Features Control Windows 2000 DNS Server How to add relevant answers to its cache. If this option is enabled, the relevant host has the same parent domain with the query host, then the relevant answer is just adding to the cache. For example, when the host is queried in HQ. EXAMPLE. NET, if the DNS server returns to the name server in the name server, it will be cached; if returned, it is a Bad. Hack. CoM related hosts, Not can't be cached, and there is no cache in the resolution. This feature is not enabled by default. Before enabling this feature, you should consider the ratio of additional query overhead required to verify. 11.3.4 DNS Server Properties: Root Tips This tab displays the current cache or root prompt file. This has been shown in Figure 4-11, and the I n t e R n e T root server is used by default. This can quickly check the configuration of the D N S server, remember that the operation of the file is critical to configure the internal namespace server, so it can be used to confirm whether the correct root prompt is used during troubleshooting. 11.3.5 DNS Server Properties: Log This tab Allows you to choose what log to the debug log file. For a busy D n S server, you need to carefully check the mask. You can find a log file in% W i N d n / d n s. L O g, which is a A S c i i text file. 120 Second Part Using Windows 2000 DNS Server
Figure 11-5 A friendly message tells you that your boot file or domain area file is not edited Table 11 - 2 provides more information about this option. There may be help because there is no information on the screen when you choose this option. Table 11-2 DNS Server Record Options Options Explanation Q UERY Inbound Query NRN OTIFY Inbound Notification Message Log U PDATA Inbound Dynamic Update Log Q UESTIONS Inbound Query Answer Log A NSWERS Query Feedback Message Acknowledgment Some Log S end The server sent by the query of the server R Eceive server inbound query of the query UDPUDP inbound request, the number of TCPTCP Inbound Requests The order of the Full Packets, the order of the package, Write THROUGH, the ability to write the package of this log, especially It is intended to form a powerful information when using other available tools, such as a monitor (ie, a system monitor), and the event log is used. I hope you don't often use this log function. When you do need to use this log, remember that it will reduce the performance of the server and will soon produce a lot of file data. 11.3.6 DNS Server Features: Monitoring This tab allows you to send a recursive test query to the remote D N S service, or perform a simple test in the local system. Simply check the desired test and click the "Test Now" button. "R e m o T e (remote)" option is more interesting, making both cyclic scheduling, which can only be used for two servers that are communicating and using the same language. Cyclic testing can also be performed at the specified interval. 11.3.7 DNS Server Properties: Security This tab can only be used at least to enable activity directory integration at least for one domain area. The simple form of the "S e c U R I T Y" tab is shown in Figure 11-6, which is the 11th chapter of the Windows 2000 used to edit access control list (a c l s) in Windows 2000. Configure Windows DNS Server 121.
Figure 11-6 Contempted the Security Editor Security dialog on the D N S server, depending on the security configuration of the D N S object in the active directory. Highlighting the Authenticated Users record indicates that this user group can read this user record table. Chapter 7 discusses the safety of using an active directory integration. 11.4 Davilion, subdomains and manual creation resources are recorded in using local servers, there are two options. If you are installed for a cached server, you want to use the root prompt on i n t e R n e t, that has been completed. Just point the client to this server. Maybe you want to specify some transponders, but the working method will not change. If there is a need for a server that is only used for cached for internal namespace, adjust the root file and specify a repeater (if any). 11.4.1 Creating a domain area is likely to support the representative part of the internal or public D N S namespace. Assume a Test.example .NET field requires a primary server. Here's it needs to be done, assuming that this server is just now, you need to create a domain: 1) Open the D n S server management interface. 2) Click the selected server node. 3) Use the "A C Ti O N" menu or context menu that is selected, and select "NEW ZONE" to launch "N e Wzone Wi Z A R). 4) Click N e x T and select Create a standard server domain area. This step can be integrated in the active directory, but you can check the domain area file here. Click N E X T. 5) Select Create a forward query domain, click N E X T. 6) Enter the name of this D n s domain. Click N e x t. 7) For domain files, you can choose the name instead of the use of the name it is recommended (in this case, T E S T is used in this example, using T E S T. E X a m p L E. N e t. D n s). Note that you can also enter the name of the domain area file being used. Use the default, click "N e x T", and then click F I N I S H. This will not take a long time. If you extend the "Forward Lookup Zone" node, you will see the new domain area. Creating auxiliary server domain area is also as simple, but some special information need to be collected, such as where to get domain information. 1) Start "New Zone Wi Z A R D" like before. 2) Click "N e x T" and then select Create a standard secondary server domain area. Click N E X T. 3) Select Create a standard secondary server domain area. Click N E X T. 4) Enter the name of the D n s domain. Since it is a secondary server domain area, it is to be the same as the primary server. Click N e x t. 5) Enter the IP address of the DNS server, which will be used to specify which secondary server domain zone to specify the primary server; if it is a DNS server configured in the DNS server management console, browse and make a selection, put all the primary servers After entering, further confirmation of their alignment sequence is also correct. 6) Click N E X T, then click F I N I S H. The file name is not allowed here, and if you don't want to use the default name, you must modify it later. In addition to the domain zone specified by the reverse I P address of the network, the creation of other reverse query domains is also as simple as. The creation steps are as follows: 1) Start "New Zone Wi Z A R D" like previously. 122 Part II uses Windows 2000 DNS Server
2) Click N E X T, then select Create a standard primary server domain area. Click N E X T. 3) Select Create a reverse query domain, click N E X T. 4) Enter the I P address as in the name of the network. For example: 1 0. 1 0 will use some of the Class I P addresses because it is used for network 1 0. 1 0. 0. 0/1 6. Note that it generates a domain name. Click N E X T. 5) You can also choose to use another file name, just click "N e x T", and then click F I N I S H. There is now a reverse query domain area to handle from 1 0. 1 0. 0. 0 to 1 0. 1 0. 2 5 5. 2 5 5 IP address, there will be in the node "Reverse Lookup Zones" Display If you click any of the new domains, there is a more detailed display of its resource records, and you will find two records per domain area: Start Authorization (SOA) and Name Service (NS) records, can be used to determine you Server. S O A indicates the account used. If you look at the directory% WINDIR% / System 3 2 / DNS, you will find a new domain area file. If you go to the HKLM / S Ystem / C Urrent C ontrolset / s Ervices / DNS / Z Ones, you will see a keyword. You will see the records of these domains, including the domain area. Finally, if the root file is opened in% W i n D i R% / S Y, in the% W I N D N s, it will find that it is only a small N A m e d. B O O T file except that there is no directory instruction. The secondary server domain area is slightly different because the wizard requires you to provide the I P address of the primary D n S server. These machines are used to provide domain zone transfer data. Before creating an auxiliary server and use it to transfer, first authorize or slightly provide a server that guarantees the servant auxiliary domain area by its primary server to allow transmission. If you don't want this new auxiliary server being queried, it is not officially licensed. As will be seen in the domain area properties, Windows 2000 fully implements the "N O T I f Y" option and increment transfer (i x f r). You are likely to configure the "N O T I f Y" option for your auxiliary server on your host. If the domain area allows dynamic updates, the advantages of this method are still important. 11.4.2 Domain Zone Transfer and Other Attributes Open the properties of the forward query domain, you will see the list of properties shown in Figure 11-7, the displayed name is "SOA" and "Name Servers" tab, this It has been discussed in Chapter 4. Figure 11-7 General front query domain area property dialog box Chapter 11 Configuring Windows DNS Server 123
W i n s (the W i N S-R) tab in the reverse domain area is also discussed in Chapter 4, and the connotation of D N S serves in detail in Chapter 1 6. These three are closely related to a single resource record type. 1. Generally set the default, the standard area area is created by the update mechanism of dynamic D n s. Enabling this feature requires only the answer to "A L o WDYNAMIC UPDATE?" From N o to Ye S, and this change is applied. When creating an integrated active directory domain, the default is "Only Secure Updates", no integration is obviously not possible. Chapter 7 discusses this problem in a certain extent in using the integrated activity directory storage. In this part, you can see the current state of the domain area, you can pause and restart the domain, which is better than the server-level pause and reuse control provided by the server node. In addition to the type, the domain area is also shown in a standard primary server domain or a secondary server or an integrated active directory domain; the "C H a N g e" button opens a dialog where you can change the type. Note the "A g i n g" button. Figure 7 - 1 shows the configuration of this button, which can clean the old records in the domain area. Once D D n s and security are used, it is likely to have useless resource records in the domain area file. These records are harmful, which may result in the registration that should be allowed to be completed, and the domain zone is increased to reduce the query speed. Chapter 7 details the cleaning process. 2. Domain Zone Transport By Domain Area Transport Issues You can configure the type and security features of the domain zone transmission. Figure 11 - 8 shows this tab to the "N O T I f Y" button (overwriting the window above) to display the feature of the update notification. NT 4.0 also has the "N O T I f Y" button, but it is not convenient to use because it is not incrementally incremented by its domain area. On the main tab, "Allow Zone TR A N S F E R S" can make the domain zone transmit functionally. Once the domain transmission is enabled, you can provide a list of servers via the I P address, you can send a transfer request to these servers. Alternatively, it is allowed to be transferred to any server, or only the transfer (herein shown here) is allowed to record the specified machine in the domain N s. Figure 11 - 8 shows the "N O T I f Y" button covered by the N O T I f Y dialog. "N o T I f Y" setting can be used to unknown, or you can enable notifications to send messages to target DNS Notify, or send them to N s specified or sent to a list of specifically entered machines. Figure 11-8 Domain Zone Transfer tab and "N O T I f Y" dialog 124 Second part uses a Windows 2000 DNS server
The Windows 2000 DNS server always performs incrementally transmitted domain regions, whether it depends on a A X f R or I x F R request. Once i x f r has an incrementally transmit request unless the version is very different, the D n S server will do. When the "C H A Ng E" of the D N S server does not support I x F R requests, the entire area area is used to transmit and use a X f R command. These optimizations for the regional transfer process are important for the domain area that realizes the dynamic update. When configuring the NO T I f Y option, don't forget the license server (ie, in the table) so that it can receive the domain area transmission, and no matter which server is used as the primary server. 11.4.3 Authorization and Subdomain Use D N S Manage Console Authorization and Creating a Domain Region. Since there is a D n S server mainly used for T E X T. E x a m p L e. N e t, you should look at what it can do. Figure 11 - 9 shows the context menu of the primary server domain area. The context menu of the secondary server domain area is very large, as the secondary server does not have resource authorization, so the record cannot be created on the secondary server, but it can send a request (send i x f R request). In Fig. 11 - 9, the domain e x a m p L e. N e T has expanded, showing the presence of fixed records. Because you didn't create E x a m p L e. N e T domain, there will be differences in your server. The E x M a P L e. N e t and many independent D n s domains have been created here. Figure 11-9 Menu Options for Main Server Domain Area If you view the context menu, you will find that there are many options that can create new records, which are marked as "New Domain" and "New Delegation". The following sections discuss what they can do, which is different. 1. The new D n S domain uses the "new domain" option to immediately need a new domain name, which is only. In the discussion of Chapter 4, sometimes it is called to create a subdomain, which can create a partial name space without authorization. 1) Open the D N S Server Management Console and extend the server that needs to define the server of the new domain area. 2) Position the cursor on the main domain that needs to be defined (for example, using e x a m p L e. N e T defines W e s t. E x a m p L e. N e t), and select "New Domain" in this domain zone (right button). 3) In the "New Domain" dialog box, enter the name of the new domain area. In the previous example, the names of this are configured in Chapter 11, configure Windows DNS Server 125
Should be W E S T. 4) Click "O K", there will be a new folder that appears in the form of node below this area area. Once "New Domain" is selected, you must enter a legal valid symbol without any period, for example, the above input is W E S T, rather than W e s t., Nor W e s t. E x a m p L E. N e t. Select the o k button will be enabled. After clicking Ok, a new folder named here is created in this domain zone node. The icon is a simple folder, it is empty. If you want to create a A record for a record in this new subdomain today, give it a record name B LD 1 2 - R 1 0 2 3, the record will under Example .NET The West folder is displayed. If you update the server file on disk, then check E x a m p L e. N e t domain zone file, you will see the A record of the just registered name is B L D 1 2 - R 1 0 2 3. W e s T. 2. The new D N S authorized "New Delegation" option is used to create a licensed subdomain, including a record of N s to answer the query request. This selection will pop up "New Delegation Wi Z A R D". Just like in New Domain, the first dialog requires entering a label without any period ".", Which will be the name of the new subdomain in the authorization node.. 1) Open the D N S Server Management Console and expand the new authorized server that will be defined. 2) Position the cursor in the primary area of the domain area, for example, use e x a m p L e. N e t. E x a m p L e. N e t, and select "New Delegation" in this domain zone (click Right button). 3) In "New Delegation Wi Z A R D", first click "N e x T" into. In the DELEGATED DOMAINN A ME dialog, enter the name of the new domain area in the "delegated Domain" body. In the previous example, this is E a S t, no other suffix. Note that the legitimate domain name (F q D n) of the authorized domain zone is displayed in the text box of the gray. Click N E X T. 4) Now you need to specify a name server to process the domain. Click "A D" to open the New Resource E C O R D dialog box to create N s records. 5) Browse A record or C N A m e recorded for this machine, or enter a record each time I P. For each input machine, a new N S record is generated in the authorized domain zone. 6) Click N E X T, and then click "F I N I S H" to close the wizard. The node of the new domain area will appear below the node of "N e WD E L E G A Ti N". After providing a sub domain name, you can enter any address that will authorize (not the resource authorization) server. You can join the server via the F q D n or the I P address, but if the D n S server to be connected or the C N A M e record already exists in the D n S database of the D N S server connected to the management console, the easiest way is to browse. Each server adds the received N S into the new domain area. After closing the wizard, there will be a new subfolder with a special icon, open it to display N S record. Update the server file and check that the domain area file also displays N s records. D N S Server Management Console does not allow you to add records in a new node. The authorized man has created a fixed record in the parent domain area where it is assumed that there will be a domain zone in the authorized server.
3. Resource Records in detail in Chapter 4, the main resource record types are discussed, while in Appendix F, the rest of the resource record types can be found. Because Chapter 4 includes intercepting the operation screen, the input information is also predictable, so it is not included in this chapter to create a resource record manually in the main domain. Many of the creation of the records are popped up to a simple dialog with the necessary details, which also have some reasonable assumptions, and with the creation of R r, you can continue to create another record in the dialog. 126 The second part uses the Windows 2000 DNS server When the cursor falls on a primary area or in the primary domain, there are often many common resource record options in the context menu. Choose "Other New Records", you can almost select any RFC specified resource record type (in the original version of Windows 2000, you can get DNAME, but in our publication) and some RFC S is not specified Type (at least not specified now, such as support for AT M). Remember, you can always stop a domain area that uses the domain area file or edits it directly. Make sure you first remove any updated cache files and raise the version before you resume to make these changes. For experienced administrators is quite standard experience. 11.5 Active Directory Integration Domain Area Storage has a lot of influences, which has been discussed in detail in Chapter 7. Because converting a domain zone into this storage mode such as simple, as long as the "C Hange" is used in the "G Enel" tab in the domain area (refer to Figure 11 - 7), it is easy to ignore A lot of new options that affect and possible use. The domain area file is stored in the active directory, just as seen in Figure 11 - 1. The figure shows the extension of the Microsoft D N s container on the "A c T i v eDirectory" and computer management console. (Advanced mode needs to be implemented.) Figure 11-10 Cumulative David Data in Active Directory This console is not hierarchical rather than in domain. This shows is read-only, only security descriptions can be changed. The visible portion indicates that this domain area file is obtained by L D a P query. If you don't care, this L D A P provides a surround route, including all domain zone data you want to protect and transmit. Refer to Chapter 7 discussing other aspects of integrating your domain zone into this storage mode. The main aspects of this are not considered are replicating machines and networks, as well as the load on the D n S server on the domain controller. They are discussed in Chapter 9. At this point, we have reminded you before this section, and simple conversion is not simple. 11.6 Server Type Because this part of the content has been dispersed into the previous section, only the chapter 11 configured Windows DNS Server 127 very simple here.
The settings required for the type of operation. 11.6.1 The forward server is configured in the server level settings in the server properties using the forwarder icon. Windows 2000 DNS Server Sends a recursive query to these machines. The Windows 2000 DNS server always sends an iterative query to another D N S server instead of the forward server. The forward server can be used in many of the following configurations. Once specified, the forward D n S server may be parsed by the DN server before it is forwarded. If this is not allowed, the Windows 2000 DNS server will start to parse the query after waiting for the server before answering the server. 11.6.2 Download only the D n S server for cache is only used for the cached server without the primary server and secondary server domain, depending on the service of other D n s servers, and the result is a non-authorization answer for future findings. Windows 2000 DNS Server does not have any domain zones in the original installed configuration, only one root prompt file is adapted to use I n t e R n e t. Therefore, the initial configuration is a server that is only used for cache. You might want to do two things to complete the configuration as a server that is only used for cache. First, if you use the D n S server in the internal D n S design, you certainly want to adjust the root prompt file. Second, setting the server using a forwarder selected from all similar events and a more resolved transponder in the namespace inside the design is a good idea. 11.6.3 From the server from the server here is not the auxiliary service device transmitted by the domain area, but the configuration of the D n S server is only used as a transponder. It is different from a server that is only used for cached because they cannot parse any queries received but only forward queries. To set the D n S server from the server, first set it into a transponder. The option "Do Not Use Recursion" is then set in the Server Properties Forwarder tab. There is a similar implementation method that may be low, but can achieve the same result, which is to adjust its root prompt file, so that only it knows, just like the U N i x server. 11.6.4 Authorization From the server because there is a good name, this configuration is called authorization from the server. This configuration is very similar to the server you just introduced. Different situations are only in this D n S server, is also authorized to host the primary server and / or secondary server domain. This configuration uses a transponder and caches their results. However, if a host is required to query a host by the server's power, you can return to the authorization answer to this query from the domain area. On the contrary, if the transponder can resolve this query, only the answer returns. It is worth to reiterate that when using the "Do Not Use Recusion" option, the D n S server still provides an authorization answer. 11.7 Iteration default In the case of an iterative query and accepts recursive queries. But it can be changed to only an iterative query. You can do it by checking the "Disable Recursion" in the A D V a N C E d option in the attribute of the server. Iterative server has less workload, so there is a high ability. The iterative server is as note as the public D N S server because this configuration can increase the server resistance based on the server process overload. 128 Part II uses Windows 2000 DNS Server
11.8 Domain Area Cleanup Use Dynamic Updates to bring problems, except for security issues, the biggest problem may be domain zone content management. The importance of this reminder is that if you don't fully consider its results before using this feature, the cleaning capabilities of the Windows 2000D N S server may make you a headache. Refer to the discussion of Chapter 7 before the A g i n g and s c a v e n i n g of this chapter is taken into account. 11.9 Support Features Windows 2000 D N S server has the ability to run on your own, it can operate in a very robust manner for a while. However, its service also has omissions, but also discusses your main choices. 11.9.1 Recording Monitoring The server is an uninterrupted task. When setting D n s services for the first time, staring at the server is very important, and you can know how much things on your server, and some or small problems have been found. You have seen the log tab in the server properties, and a little misfortune is that this tool cannot be enabled per domain area, but can still provide valuable information. Once again, the use of this tool is used on a server that is heavy. It is not only a loop operation, but also quickly generates a lot of files. We have not mentioned loading "Windows Event", which has a new D N S load mode in Windows 2000. Figure 11 - 11 shows the open "COMPUTER Management" console. D N S event load is a good observation station because any serious problem will be displayed here, but do not rely on it as a source of balanced capacity and performance. Figure 11 - 11 DNS Server Event Log "Computer Manement" console can be found in the "M a g e" option in the "My Computer" on the up and down menu, or running C O m p m g m t. M s c. Note that in Fig. 11 - 11, the node "System to O L S" and "E V E N TL O G" have been extended, and "DNS Event Log" has been displayed on the detailed panel. At the bottom, "Services and Applications" has been extended, which shows all access to the D N S management interface, which is used as the inline load in the Computer Management console. Chapter 11 Configuring Windows DNS Server 129
11.9.2 Statistics and Monitor If you are not familiar with Windows NT and Windows 2000, you may have not found the value of system monitoring, select "P Erformance" in the "Administrative to Ols" folder, or can also run P Erfmon. MSC. In NT 4.0, this tool is called performance monitors, and it is still using this name. Monitor works in three modes: Live VI E W I N g, Logging and A L E R T I N g. If you click on the icon ( ) to add a counter, a dialog box will appear, first select the object of interest, which is of course D n S, then the counter in the object to be used. All log file objects can be recorded for later views. Very good, you can also list conditions on the counter, which will inspire event log information. Then, if there is a tool, such as S M s (System Managements E R V), then these event log messages can excite planned behavior, email messages, etc. In order to make you understand the extended information that the D n S object can provide, Table 11 - 3 lists these counters. Take a closer look at the list of objects, you will find that the memory is easy to monitor, you can know how much your server is, for a D n S server, memory is the most critical resource. N O T I f Y, i x f r, a x f r, and the transfer counter enables you to understand the load transferred by a domain area and whether i x f R will cause a x f R transmission, assuming that only i x f R should happen. Dynamic Update and Security Update Counters provide information about the dynamic domain management activity of the server. Some other combinations can be used to view the server's query load, and so on. Table 11-3 DNS Object Counters 130 in System Monitor Use Windows 2000 DNS Server (Continued) 11.10 DNS Server Registry Record that the DNS server in Windows 2000 has a large number of registry keywords, most of which Configuring Windows DNS Server 131 through DNS Cubes Chapter 11
The root location in the registry is HKLM / SYSTEM / CURRENT CONTROL / SET / SESTEM / CURRENT CONTROL / SET / SESTEM / CURRENT Control / SET / Services / DNS; the following is the sub-key / p arameters, which can be configured here, such as Table 11 - 5 Domain zone settings, as shown in Table 11 - 4, separate the domain interval to store the domain area. Table 11-4 DNS Registration Table Type Type Description Table 11-5 DNS Server Global Registry Table Key Value Value Type Description 11. 11 Summary to the Options for the Windows 2000 DNS server, discussed For several important aspects for installation configuration. Through this chapter, you should be able to install the D n S server without problems and start adding to domain data. The relevant chapters are provided as a reference for problems that need to be discussed in-depth discussion. 132 Part II WINDOWS 2000 DNS Server
