108 Chapter 2 Configuring Name Resolution Quick Check 1. When a DNS server receives a query, how does it first attempt to resolve the name? 2. If a DNS server cannot resolve a query by using the first method, which method will it use next? Quick Check Answers 1. A DNS server first attempts to resolve a query by using resource records stored in a locally configured zone. 2. If a DNS server cannot resolve a query by using zone data, it attempts to answer the query by using cached information. Understanding Recursion If the queried name does not find a matched answer at its preferred server—either from its cache or zone information—the query process continues in a manner dependent on the DNS server configuration. In the default configuration, the DNS server performs recursion to resolve the name. In general, recursion in DNS refers to the process of a DNS server querying other DNS servers on behalf of an original querying client. This process, in effect, turns the original DNS server into a DNS client. If recursion is disabled on the DNS server, the client itself performs iterative queries by using root hint referrals from the DNS server. Iteration refers to the process of a DNS client making repeated queries to different DNS servers. Root Hints To perform recursion properly, the DNS server first needs to know where to begin searching for names in the DNS domain namespace. This information is provided in the form of root hints, a list of preliminary resource records used by the DNS service to locate servers authori- tative for the root of the DNS domain namespace tree. By default, DNS servers running Windows Server 2008 use a preconfigured root hints file, Cache.dns, that is stored in the WINDOWS\System32\Dns folder on the server computer. The contents of this file are preloaded into server memory when the service is started and con- tain pointer information to root servers for the DNS namespace. Figure 2-8 shows the default root hints file. Lesson 1: Understanding Name Resolution in Windows Server 2008 Networks 109 Figure 2-8 Root hints file In Windows Server 2008, the root hints file already contains addresses of root servers in the Internet DNS namespace. Therefore, if you are using the DNS Server service in Windows Server 2008 to resolve Internet-based DNS names, the root hints file needs no manual config- uration. If, however, you are using the DNS service on a private network, you can edit or replace this file with similar records that point to your own internal root DNS servers. Further- more, for a computer that is hosting a root DNS server you should not use root hints at all. In this scenario, Windows Server 2008 automatically deletes the Cache.dns file used for root hints. Query Example The following example illustrates default DNS query behavior. In the example, the client que- ries its preferred DNS server, which then performs recursion by querying hierarchically supe- rior DNS servers. The DNS client and all DNS servers are assumed to have empty caches. In Figure 2-9 a client somewhere on the Internet needs to resolve the name example.lucerne- publishing.com to an IP address. 110 Chapter 2 Configuring Name Resolution Figure 2-9 A DNS server performing queries in the DNS namespace to resolve a name on behalf of a client When the DNS Client service on the client computer begins the query process, the following events take place: 1. The client contacts NameServer1 with a query for example.lucernepublishing.com. 2. NameServer1 checks its cache and zones for the answer but does not find it, so it con- tacts a server authoritative for the Internet (that is, a root server) with a query for exam- ple.lucernepublishing.com. 3. The server at the root of the Internet does not know the answer, so it responds with a referral to a server authoritative for the .com domain. 4. NameServer1 contacts a server authoritative for the .com domain with a query for exam- ple.lucernepublishing.com. 5. The server authoritative for the .com domain does not know the exact answer, so it responds with a referral to a server authoritative for the lucernepublishing.com domain. 6. NameServer1 contacts the server authoritative for the lucernepublishing.com domain with a query for example.lucernepublishing.com. NameServer1 4 5 6 Recursive query lucernepublishing.com Name Server com Name Server “ ” Name Server 7 18 2 Iterative queries 3 Resolver Lesson 1: Understanding Name Resolution in Windows Server 2008 Networks 111 7. The server authoritative for the lucernepublishing.com domain does know the answer. It responds with the requested IP address. 8. NameServer1 responds to the client query with the IP address for example.lucernepub- lishing.com. Quick Check 1. When would a DNS server contact a root server? 2. If a DNS server contacts a root server to resolve the name “www.contoso.com” and the root server cannot answer the query, how does the original server know which server to query next? Quick Check Answers 1. A DNS server contacts a root server when it cannot answer a query with its own cached or authoritative data. 2. The root server responds to the DNS server with a referral for the address of the DNS server authoritative for the “.com” domain. The DNS server then contacts this server for which it has received a referral. Understanding How Caching Works Both the DNS Client service and the DNS Server service maintain caches. Caching provides a way to improve DNS performance and to substantially reduce DNS-related query traffic on the network. DNS Client Cache The DNS client cache is also called the DNS resolver cache. Whenever the DNS Client service starts, all host-name-to-IP-address mappings contained in a static file named Hosts are pre- loaded into the DNS resolver cache. The Hosts file can be found in WINDOWS \System32 \Drivers\Etc. NOTE How is the Hosts file used? Whenever you add an entry to the Hosts file, that entry is immediately loaded into the DNS resolver cache. In addition to the entries in the Hosts file, the DNS resolver cache also includes entries the cli- ent has received in response to a query from DNS servers. The DNS resolver cache is emptied whenever the DNS Client service is stopped. 112 Chapter 2 Configuring Name Resolution Exam Tip For the 70-642 exam, you need to know the difference between the Hosts file and the Lmhosts file. The Hosts file helps resolve host names (essentially DNS names) to IP addresses, and the Lmhosts file helps resolve NetBIOS names to IP addresses. DNS Server Cache As DNS servers make recursive queries on behalf of clients, they temporarily cache resource records. These cached records contain information acquired in the process of answering que- ries on behalf of a client. Later, when other clients place new queries that request information matching cached resource records, the DNS server can use the cached information to answer these queries. The DNS server cache is cleared whenever the DNS Server service is stopped. In addition, you can clear the DNS server cache manually in the DNS console—the administrative tool used for DNS administration—by right-clicking the server icon in the console tree and then choosing Clear Cache. Finally, you can clear the server cache at the command line by typing the com- mand Dnscmd /clearcache at a command prompt. Time to Live Values A Time to Live (TTL) value applies to all cached resource records, whether in the DNS resolver cache or the DNS server cache. As long as the TTL for a cached resource record does not expire, a DNS resolver or server can continue to use that record to answer queries. By default, the TTL is 3600 seconds (1 hour), but you can adjust this param- eter at both the zone and record levels. PRACTICE Exploring Automatic Name Resolution in Local Networks In this practice, you explore the name resolution mechanisms that are available in Windows networks before a DNS server is installed and configured. By turning on and off various fea- tures and then attempting to connect to a computer in three ways (ping, UNC path, and the Network window), you will learn which features enable which functionality. To begin the exercises in this practice, on Dcsrv1 and Boston, File Sharing must be turned on and Network Discovery must be turned off. Only a single local area connection should be enabled on both computers. Dcsrv1 should be assigned the IPv4 address 192.168.0.1/24 and the IPv6 address fd00::1. Boston should be assigned the IPv4 address 192.168.0.2/24 and the IPv6 address fd00::2. Lesson 1: Understanding Name Resolution in Windows Server 2008 Networks 113  Exercise 1 Testing Automatic Name Resolution on an IPv4-only Workgroup without NetBIOS or Network Discovery In this exercise, for the local area connections on both Dcsrv1 and Boston, you disable the IPv6 protocol and NetBIOS in IPv4. 1. Log on to Boston as an administrator. 2. In the Initial Configuration Tasks window, click Configure Networking. If the Initial Configuration Tasks window is not open, you can instead open Server Manager and then click View Network Connections. (Note also that you can always open the Initial Con- figuration Tasks window by typing oobe in the Run box.) 3. In Network Connections, open the properties of Local Area Connection. 4. In the Local Area Connection Properties dialog box, clear the Internet Protocol Version 6 (TCP/IPv6) check box. 5. Double-click the Internet Protocol Version 4 (TCP/IPv6) check box. 6. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click the Advanced button, and then click the WINS tab in the Advanced TCP/IP Settings dialog box. 7. In the WINS tab, select Disable NetBIOS Over TCP/IP, and then click OK. NOTE NetBIOS is for IPv4 only NetBIOS does not exist within IPv6. It’s a feature found in IPv4 Windows networks only. 8. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click OK. 9. In the Local Area Connection Properties dialog box, click OK. 10. Restart the computer. 11. Perform steps 1 through 10 on Dcsrv1. When both computers have finished restarting, proceed to step 12. 12. Log on to Boston as an administrator. At a command prompt on Boston, type ping dcsrv1. You receive a message indicating that the Ping request could not find the host. Without NetBIOS, Boston has no way to resolve the name dcsrv1 on an IPv4-only network for which DNS has not been configured. 13. At the command prompt on Boston, type ping 192.168.0.1. You receive a response from 192.168.0.1. You can determine that connectivity is estab- lished between the two computers; the problem is name resolution only. 114 Chapter 2 Configuring Name Resolution 14. From the Run box, type \\dcsrv1, and then press Enter. A Network Error message appears, indicating that Windows cannot access \\dcsrv1. NOTE UNC paths This type of network path to a remote computer is known as a UNC path. 15. Click Cancel to dismiss the Network Error message. 16. From the Run box, type \\192.168.0.1, and then press Enter. A connection is established, indicated by an open window displaying the shared folders on Dcsrv1. At this time only the Printers folder is shared. 17. From the Start Menu, choose Network. The Network window displays no computers. In the window, a yellow band displays a message indicating that Network Discovery is turned off. 18. Close all open windows.  Exercise 2 Testing Automatic Name Resolution on an IPv4/IPv6 Workgroup with Both NetBIOS and Network Discovery Disabled In this exercise, you leave NetBIOS disabled and enable IPv6. You then observe functionality for Ping, UNC path connectivity, and the Network window. 1. On both Boston and Dcsrv1, in the properties of Local Area Connection, enable IPv6 by selecting the Internet Protocol Version 6 (TCP/IPv6) check box. 2. Restart both computers. 3. Log on to Boston as an administrator. At a command prompt, type ping dcsrv1. You receive a message indicating that the Ping request could not find the host. IPv6 by itself does not facilitate name resolution. 4. At the command prompt, type ping fd00::1. You receive a response, indicating that you can now ping Dcsrv1 by its IPv6 address in addition to its IPv4 address. 5. From the Run box, type \\dcsrv1, and then press Enter. A Network Error message appears, indicating that Windows cannot access \\dcsrv1. By itself, IPv6 does not enable you to use a UNC path connect to a computer specified by name. 6. Click Cancel to dismiss the Network Error message. 7. From the Run box, type \\fd00 1.ipv6-literal.net, and then press Enter. The fd00 1.ipv6-literal.net window opens, displaying the Printers share on Dcsrv1. This is the syntax you must use to connect to a computer by specifying its IPv6 address in a Lesson 1: Understanding Name Resolution in Windows Server 2008 Networks 115 UNC path. Notice that in the IPv6 UNC path you replace each of the colons in the orig- inal IPv6 address with a hyphen and append the suffix “.ipv6-literal.net” to the address. 8. From the Start Menu, choose Network. The Network window still displays no computers. 9. Close all open windows. NOTE IPv6 by itself does not enable name resolution Because no name resolution was exhibited in this last exercise even when IPv6 was enabled together with IPv4, we do not need to test name resolution in an IPv6-only network with Net- work Discovery disabled. In an IPv6-only subnet without Network Discovery or DNS, you can- not ping a computer by name, connect to a computer by specifying its UNC, or see it listed in the Network window.  Exercise 3 Testing Automatic Name Resolution on an IPv4-only Workgroup with NetBIOS Enabled and Network Discovery Disabled In this exercise, you disable IPv6 and enable NetBIOS on both computers. Then you observe functionality for Ping, UNC path connectivity, and the Network window. 1. On Boston, open the properties of Local Area Connection, and then clear the Internet Protocol Version 6 (TCP/IPv6) check box. 2. Double-click Internet Protocol Version 4 (TCP/IPv4). 3. In the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, click the Advanced button, and then click the WINS tab in the Advanced TCP/IP Settings dialog box. 4. In the NetBIOS Setting area, select Default, and then click OK. This option enables NetBIOS unless a DHCP server disables it. 5. Click OK to close the Internet Protocol Version 4 (TCP/IPv4) Properties dialog box, and then click OK to close the Local Area Connection Properties dialog box. 6. Restart the computer. 7. Perform steps 1 through 6 on Dcsrv1. When both computers have finished restarting, proceed to step 8. 8. Log on to Boston as an administrator. 9. At a command prompt, type ping dcsrv1. You receive a reply from the IPv4 address of 192.168.0.1. This response demonstrates that NetBIOS resolves computer names in an IPv4-only subnet without a DNS server. 10. From the Run box, type \\dcsrv1, and then press Enter. The dcsrv1 window opens, displaying the Printers share on Dcsrv1. We can determine from this step that NetBIOS resolves local computer names specified in a UNC. 116 Chapter 2 Configuring Name Resolution 11. From the Start menu, choose Network. The Network window is still empty. In Windows Server 2008 networks, NetBIOS is not used to display computers in the Network window. 12. Close all open windows.  Exercise 4 Testing Automatic Name Resolution on an IPv4/IPv6 Workgroup with NetBIOS Enabled and Network Discovery Disabled In this exercise, you enable IPv6 on both computers and observe the behavior. 1. On both computers, open the properties of Local Area Connection, and then enable IPv6 by selecting the Internet Protocol Version 6 (TCP/IPv6) check box. 2. Restart both computers. 3. Log on to Boston as an administrator. 4. From a command prompt, type ping dcsrv1. You receive a response. Notice that with NetBIOS enabled and Network Discovery dis- abled, the response is from the IPv4 address of Dcsrv1, even though both IPv4 and IPv6 are enabled. Later you will observe the circumstances under which this behavior will change. 5. From the Start Menu, choose Network. The Network window is still empty. We do not need to check for UNC path connectivity because we know this will work when NetBIOS is enabled. Adding a protocol or a service (in this case IPv6) never removes name resolution functionality. 6. Close all open windows.  Exercise 5 Enabling Network Discovery In this exercise, you will enable Network Discovery on both Boston and Dscrv1. In the remain- ing exercises you will observe the functionality enabled by this feature. 1. On Boston, open Network And Sharing Center. 2. In the Sharing And Discovery area, click the Off button next to Network Discovery. 3. Select Turn On Network Discovery, and then click Apply. A Network Discovery message appears, asking whether you want to turn on Network Discovery for all Public networks. 4. Click Yes, Turn On Network Discovery For All Public Networks. Note that this option is only recommended for test environments. 5. Restart the computer. 6. Perform steps 1–5 on Dcsrv1. Lesson 1: Understanding Name Resolution in Windows Server 2008 Networks 117  Exercise 6 Testing Automatic Name Resolution on an IPv4-only Workgroup with Network Discovery Enabled and NetBIOS Disabled In this exercise, you disable IPv6 and NetBIOS in IPv4. You then observe the distinctive behav- ior that results from this configuration. 1. Using the instructions given in the previous exercises, on Local Area Connection on both computers, disable both IPv6 and NetBIOS in IPv4. After you perform this step, restart both computers. 2. When both computers finish restarting, log on to Boston as an administrator. 3. At the command prompt, type ping dcsrv1. You receive a message indicating that the Ping request could not find the host. In an IPv4-only network, you need NetBIOS to be able to ping a computer by name. Net- work Discovery does not provide this functionality. 4. In the Run box, type \\dcsrv1, and then press Enter. In an IPv4-only network, you cannot connect to a computer by specifying its name in a UNC pathname unless NetBIOS is enabled. Network Discovery does not enable this functionality in IPv4 networks. 5. From the Start Menu, choose Network. The Network window displays either Boston, or Dcsrv1, or both. Both will eventually appear if you refresh the screen. Network Discovery is the feature that populates the Network window in IPv4. 6. When Dcsrv1 appears in the Network window, double-click its icon. You receive a message indicating that Windows cannot access \\DCSRV1. Double-click- ing a computer in the Network window is functionally equivalent to attempting to con- nect by specifying the computer’s name in a UNC. Even if you can see a computer listed in the Network window, you cannot connect to it because NetBIOS is disabled in this IPv4-only network. 7. Close all open windows.  Exercise 7 Testing Automatic Name Resolution on an IPv4-only Workgroup with Both Network Discovery and NetBIOS Enabled In this exercise, you enable NetBIOS and observe the change in name resolution behavior. 1. Using the instructions provided in the previous exercises, on the Local Area Connection on both computers, enable NetBIOS in IPv4 by selecting the NetBIOS setting of Default in the WINS tab of the Advanced TCP/IP Settings dialog box. (Leave IPv6 disabled for the connection.) After you perform this step, restart both computers. 2. When both computers finish restarting, log on to Boston as an administrator. [...]... Figure 2-1 5 You can then cancel out of the wizard and use the answer file with Dcpromo on the Server Core installation 126 Chapter 2 Configuring Name Resolution Figure 2-1 5 Creating an answer file for Dcpromo If you want to install a DNS server on a stand-alone or member server running a Server Core installation of Windows Server 2008, type the following command: start /w ocsetup DNS -Server- Core-Role... Add Roles Wizard to add the DNS Server role ■ You can install a DNS server on a Server Core installation of Windows Server 2008 To do so on a domain controller, use Dcpromo and specify an answer file by using the command dcpromo /unattend: To install a stand-alone DNS server on a Server Core installation, type start /w ocsetup DNS -Server- Core-Role ■ The DNS server properties dialog box allows... to promote a server to a domain controller 1 23 124 Chapter 2 Configuring Name Resolution Deploying a DNS Server on a Stand-alone or Member Server Your name resolution infrastructure might require you to install a DNS server on a stand-alone server or on a member server in an Active Directory domain In this case you will need to install a DNS server without using Dcpromo To install a DNS server, use... right-click the Forward Lookup Zones folder in the DNS Manager console tree, and then choose New Zone, as shown in Figure 2-1 4 For more information about creating, configuring, and managing DNS zones, see Chapter 3, Configuring a DNS Zone Infrastructure. ” Lesson 2: Deploying a DNS Server 125 Figure 2-1 4 Adding a New Zone Deploying a DNS Server on a Server Core Installation of Windows Server 2008 You... DNS Server service acts as a caching-only server Caching-only servers thus require little or no configuration To install a caching-only DNS server, complete the following steps: 1 Install the DNS server role on the server computer 2 Do not create any zones 3 Verify that server root hints are configured or updated correctly Configuring Server Properties The DNS server properties dialog box allows you... Windows Server 2008 You can install a DNS server on a Server Core installation of Windows Server 2008 along with AD DS by using Dcpromo, in which case the DNS server can be installed and configured automatically You also have the option of installing the DNS server as a stand-alone or member server To install a DNS server along with a domain controller on a Server Core installation, use Dcpromo However,... by specifying its name in a UNC In an IPv6-only network, you need Network Discovery to perform this same task 10 From the Start Menu, choose Network 11 When Dcsrv1 appears in the Network window, double-click its icon The DCSRV1 window opens, displaying the Printers share on Dcsrv1 Lesson 1: Understanding Name Resolution in Windows Server 2008 Networks 119 Network Discovery essentially provides the... DNS Manager console tree, and then choose Connect To DNS Server, as shown in Figure 2-1 6 Lesson 2: Deploying a DNS Server 127 Figure 2-1 6 Using DNS Manager on a full installation to manage a DNS server installed on a Server Core installation Configuring a Caching-only DNS Server All DNS servers include a cache of query responses Although a DNS server initially contains no cached information, cached... Add Roles Wizard available in Server Manager or the Initial Configuration Tasks window Then, in the wizard, select the DNS Server role (as shown in Figure 2-1 3) and follow the prompts Figure 2-1 3 Installing a DNS server without AD DS Installing the DNS server separately from AD DS requires you to configure the DNS server manually afterward The main task in configuring a DNS server manually is to add and... running only Windows Vista or Windows Server 2008, and that has both IPv6 and Network Discovery enabled on its computers ■ NetBIOS is a legacy protocol and naming system used for compatibility with older Windows network services NetBIOS provides the only name resolution in Windows that works by default on a network without DNS NetBIOS can resolve names by using network broadcasts, a WINS server, or a . to install a DNS server on a stand-alone or member server running a Server Core installation of Windows Server 2008, type the following command: start /w ocsetup DNS -Server- Core-Role To remove. Chapter 3, Configuring a DNS Zone Infrastructure. ” Lesson 2: Deploying a DNS Server 125 Figure 2-1 4 Adding a New Zone Deploying a DNS Server on a Server Core Installation of Windows Server 2008 You. namespace. Figure 2-8 shows the default root hints file. Lesson 1: Understanding Name Resolution in Windows Server 2008 Networks 109 Figure 2-8 Root hints file In Windows Server 2008, the root hints