|
OK, DNS....Welcome to the world of the single most
misconfigured part of windows networking out there...Why?
Because there is a lack of understanding of how DNS works, and
in particular, how it works within a Windows based Domain
Environment utilizing Active Directory....
So, Some basics to begin with...
DNS, or Domain Naming Service, is at its basics, a utility
that maps hostnames to IP Addresses, its like a centralized
database holding records of these mappings....
DNS has of course, a lot more functionality than this of course,
but that, at its simplest and purest form, is what DNS
does....It also has more advanced roles, such as locating Domain
Controllers on your network in a Windows Domain, Holding Aliases
or CNAME records for devices and resources on your network, as
well as in more advanced environments, passing along details on
where to pass through resolution requests etc.
How does DNS work? Simple. A nice clean example is a client
machine (lets call it HOST) queries (Or Asks) a DNS Server (Lets
call it SERVER) for an address. SERVER Responds (Or Answers) to
CLIENT With the address that it has in its Database, and the
machine now knows where to go
The Computer language is of course, Binary...This is all ones
and zero's at its root. Everything you see and do is translated
one way or another in binary...a whole load of very nerdy
looking ones and zeros....10001001....and each computer has its
own unique IP address (also made up of ones and zero's). when
machines look for each other, and talk to each other, they
communicate via these addresses.....Now, for a human to remember
those addresses would be next to impossible, so we refer to them
with names such as CLIENT....DNS simply maps the name CLIENT to
the address that the computer uses - Simple yes
The above is as technical I am going to get in this post -
its simply explaining at its simplest form what DNS does. But,
even though its such a simple concept, there are a few crucial
things, in a Windows Domain Environment, that must be configured
correctly for this process to work properly from my experience,
it is rarely configured properly at a basic Level.
a) Server Side
In a Windows Domain Environment, the most common configuration
of the DNS server role, is for it to site on a Domain
Controller. Every DC that you have, should also be configured as
a DNS server. Why? Because DNS is the key foundation to Active
Directory. From Name resolution, to DC location, To AD
Replication - the whole deal.
DNS ties in so heavily with Active Directory, that your DNS
zones can actually reside within Active Directory Itself. This
is known as an Active Directory Integrated Zone. Basically, once
your Zones are integrated within AD, it will replicate the
entire zone contents to every DC that is configured as a DNS
server in your Domain. Providing, redundancy and load balancing
of DNS
There are also circumstances where you might have a DNS server
that is not a DC, but that is not covered in this article, it is
purely based on an Active Directory Domain using DC's as DNS
servers, which is also the most common setup in small, medium,
large and Enterprise class businesses.
Rule 1. : Your DC/DNS Server must first point
to itself as the primary DNS Server. Why? DNS in a domain
environment is completely reliant on internal DNS servers. The
internet contains thousands of public DNS servers which are used
to locate internet resources. Active Directory doesn't care
about these servers when it comes to locating local resources
and computers, it only cares about what it knows and where it
stores them. So logically, in a Domain Environment any resource,
whether or not its in a local site, or in a remote site on the
other side of the world, are classified as local records and are
stored within your Internal DNS Database
You must configure your DC's/DNS servers TCP/IP Properties to
look at its own IP address as its first point of query. Very
easy to configure - Under the TCP/IP properties -> DNS Servers
-> Simply Specify the DNS Servers IP address as the Primary
Server.
The Alternate DNS Servers entry can be left Empty if you utilize
only one DNS Server, but in any good AD environment, there will
be multiple DC's, and thus, should be Multiple DNS Servers, so
you can specify and alternate DC/DNS server as the secondary.
Make sure, that you only ever specify local DNS Servers in your
Servers TCP/IP Properties.
Configuring your DC/DNS Servers this way basically guarantees
that your server only ever looks at its own Database, or a
Replica of its own integrated database for name resolution look
ups for local resources. If you place an external ISP DNS server
as a primary entry, you will have all sorts of trouble with
Active Directory as local resource queries will be sent to the
outside world, which of course, do not exist, so your queries
will fail.
Rule 2: So what if you need to resolve internet
sites, or external resources? External Resources are classified
as anything that exists outside of your Domain Environment.
These may be websites, an external network, or external
resources...
DNS acts in the same way when trying to locate these records. as
modeled below
1. Client Queries Server
2. Server looks for the record in its own Zones or database
3. If found, the Server will answer the client with a response,
if not found, it will send a failure notice to the Client
Now we introduce the concept of forwarders. Forwarders are
simply and external DNS server that you enter into DNS for all
unresolved queries, or in simpler terms, if the Local DNS server
cannot find the entry locally in its own Database, it will pass
the query, or Forward it, to an external DNS Server, Which then
follows the same Process as above.
So I have entered a forwarder address, and the process now looks
as follows when querying.
1. Client Queries Server
2. Server Queries its own zones or database
3. If A record is found, it passes the result to the client. If
not, it passes through to step 4
4. The Local DNS server forwards the request to an external
server. The external server then checks its zones or database,
and passes the response back to the Local DNS Server..
5. The Local DNS Server then caches this result and stores it.
6. The Local DNS server passes the result back to the client
The Client now has an answer to their initial query. The DNS
Server has also cached a record of this query, which means the
next time a client asks the same question, the DNS server
doesn't need to pass the query back out to the world, it already
knows the answer. Neat huh
B) Client Side
Now that you have set your Server Correctly and configured your
forwarders, lets now take a look at the client, which is just as
important when it comes to setting up correctly.
When a client logs on to the domain, It uses DNS servers to
locate the Domain Controllers to log on to. So, Exactly the same
as the server configuration, you must specify ONLY local DNS
Servers as these local Servers hold the locator records for the
Domain Controllers.
So often DNS is misconfigured at the client end to look at
External DNS servers. This is a complete no go. There is never
an occasion within a Domain Environment, that clients should
ever look at external DNS servers. Simply none. If A client
tries to log on to a domain, and has external DNS servers
configured, it can cause numerous issues.
* Cannot find the DC to log on to so does not complete the logon process
properly
* Can cause extremely slow logons as its awaiting results for its query
from the outside world, which might bounce around for a long
long time
* Group Policies will not apply as it cannot find the servers
* Resources wont be accessible
* Profiles will not load
* DNS will not update its database with any changes and records will
become outdated
So how should DNS Settings be configured at the client side.
Simple, Point your clients only to the local DNS servers in
their site. Keeping in mind the process mentioned above in the
server configuration, the client should only ever query local
DNS servers, the Servers themselves will handle any other
requests and pass it back through to the client.
One simple rule of thumb to follow. Never, Ever configure an
external Servers IP as Primary or Secondary on a client. Ever.
We can have alternate DNS Servers specified on a Client Machine
within their TCP/IP properties, but they should only ever be as
follows
Primary: Local DNS Server within the site - or
if no local DC, the closest Local DNS server within the
Organization
Secondary: Alternate Local DNS Servers - Never
External - These local DNS servers may be in alternate sites,
but they are still part of the Windows Domain.
Very Easy concept to grasp and a very common misconfiguration
which results in disastrous results
DNS like every other database needs basic maintenance to keep
it up to date and consistent. There is one inbuilt tool in
particular that crucial to keeping zones fresh and up to date,
The Aging and Scavenging utility
This basically goes through and removes old or stagnant records
that may not have been properly removed when DHCP updates DNS
(Another topic as a whole) You configure this under the zone
properties in the General Tab - Ageing and Scavenging. There you
can set your refresh intervals and decide how often you need to
purge
DNS is a massive system, but at its basics, particularly in a
Windows Domain Environment, its quite a simple tool. As long as
the basic configuration has been applied, it will basically run
itself. If you want to learn more and understand some of the
other things that DNS does (And it does a lot) I recommend
jumping on msdn and having a search.
|
