344 Chapter 7 • Troubleshooting Windows 2000 DNS Problems But it does solve the problem. When an internal user connects to news.tacteam.net, a DNS query is sent to the internal DNS server, and is resolved to the IP address of the internal news server. A user connecting to news.tacteam.net via the Internet contacts the DNS server outside the firewall, and receives the IP address of the Internet-located news server. At no time do your internal resources become threatened or touched by Internet users. Figure 7.10 displays a simplified network layout of this configuration. Note the two DNS servers, one internal and one external. Each of the DNS servers will have different zone databases, and they most definitely will not participate in zone transfer with each other. This is the most common scenario you’ll encounter because most organizations already have a domain name and are wary of change. However, if you are blessed enough to be working with a new network installation, or an unusually flexible company, the second approach is a lot easier, and more flexible. Figure 7.10 Network layout with same internal and external domain name. Internal Web Internal Mail Internal News Proxy/DNS Firewall 'Net Web 'Net Mail 'Net News/DNS Internet Internal Proxy/DNS is located in DMZ internal to the firewall. External Servers External to the Firewall are directly exposed. TACTEAM.NET TACTEAM.NET 91_tcpip_07.qx 2/25/00 11:08 AM Page 344 Troubleshooting Windows 2000 DNS Problems • Chapter 7 345 Different Intranet and Internet Domain Names The best way to go is with different domain names representing your intranet and Internet resources. In this case, we could have two domain names, taccorp.net and tacteam.net. The former is used for internal resources, and the latter for Internet resources. The internal servers would be www.taccorp.net, mail.taccorp.net, and news.taccorp.net. The Internet servers would be www.tacteam.net, news.tacteam.net, and mail.tacteam.net. The DNS server on the intranet is authoritative for the taccorp.net zone so that all DNS requests for internal resources can be answered by the intranet DNS server. All DNS queries for Internet resources are answered by the external DNS server, which is authoritative for the tacteam.net zone. Advantages of Using Different Internal and External Domain Names While each zone still has to be maintained separately, with this solution you don’t have to keep track of two different IP addresses for servers with the same name. You also won’t have to duplicate external resources on internal servers, since the internal clients can access the Internet servers via the proxy through the firewall, as they would contact any other server on the Internet (See Figure 7.11). Proxy Configuration The proxy server should be configured to use an internal DNS server that is configured as a slave server. The slave will send the DNS request to its forwarder for Internet host name resolution. The firewall should be config- ured to allow DNS queries and responses via UDP and TCP Port 53. Normally, DNS queries and responses use UDP Port 53, but if the response won’t fit into a single UDP segment (i.e., the response has been “truncated”), then the DNS server will “fall back” to TCP to accommodate the message. Corporate Mergers and Domain Management If you read the business section of your local newspapers regularly, you are aware that corporate mergers are a frequent phenomenon. Merging companies are likely to each have its own network, and someone has the job of making them work together as a new integrated intranet. Let’s look at an example that builds on what we’ve done so far to see how we handle the integration of two networks that have both an Internet presence and corporate intranets. 91_tcpip_07.qx 2/25/00 11:08 AM Page 345 346 Chapter 7 • Troubleshooting Windows 2000 DNS Problems The Problem: Corporate Merger The first company is TACteam, the one that we’ve been working with in the previous sections. TACteam uses different domain names to identify its intranet versus Internet resources. TACteam’s intranet resources use private IP addresses and access Internet resources via a proxy server. The internal domain is taccorp.net, and the Internet domain is tacteam.net. TACteam has merged with Shinder, Inc. Shinder, Inc. maintains a sin- gle domain name for both internal and Internet resources. They mirror their Internet resources on their intranet, and maintain separate and dis- tinct shinder.net zones for their intranet and Internet DNS servers. The shinder.net DNS administrators keep track of the different IP addresses for machines with the same name between the intranet and the Internet. Shinder.net is an old company and has been connected to the Internet for several years; therefore, they are using public IP addresses for their Figure 7.11 Different internal and external domain names. Internal Web Internal Mail Internal News Proxy/DNS Firewall 'Net Web 'Net Mail 'Net News/DNS Internet Internal Proxy/DNS is located in DMZ internal to the firewall. Resolve internal - forwards external requests External External DNS Server Resolves Internet Resources- Acts as forwarder for internal DNS TACCORP.NET TACTEAM.NET 91_tcpip_07.qx 2/25/00 11:08 AM Page 346 Troubleshooting Windows 2000 DNS Problems • Chapter 7 347 internal network. They do not use a proxy server, but do use a firewall to protect the intranet from Internet intruders. Your job is to redesign the network so that all users from both domains will be able to access both the internal and Internet resources of both companies. The long-term goal is to migrate the shinder.net resources over to tacteam.net and taccorp.net. but long experience dic- tates that this is going to take a long time. You need to get the two net- works interacting as soon as possible. Proposed Solution Starting at TACteam, you would configure the proxy server to include the public network IDs that are in use at shinder.net so that they are recog- nized as internal resources. By configuring them as internal addresses, you ensure that DNS requests for these resources will be referred to inter- nal DNS servers at taccorp.net, and not sent to the proxy server for reso- lution. On the taccorp.net internal DNS server, create a delegation for shin- der.net and include a host A resource record for the internal DNS server at shinder.net. DNS zone delegation is a way of distributing the responsibility of name resolution to other servers. When a DNS query arrives at the taccorp.net DNS server for a resource at shinder.net, it will now be referred to the intranet DNS server at shinder.net based on the information included in the delegation record. Since shinder.net is an internal resource, it won’t be going through the proxy server. We do have a problem: How are we are going to get the taccorp.net machines, which use private IP addresses, to communicate with the shinder.net machines that are using public IP addresses? We can completely wall off the intercompany link from the Internet using dedicat- ed leased lines, but that is a very expensive proposition. A much more cost-effective solution is to create a Virtual Private Network (VPN) over the Internet to connect the two companies. We would then install a VPN server at the taccorp.net site and config- ure the VPN server to use Network Address Translation (NAT). We then configure our routers to direct all traffic destined for the shinder.net net- work IDs to our VPN server, which will itself route traffic to shinder.net to use the VPN connection. The VPN connection will terminate at the VPN NOTE 91_tcpip_07.qx 2/25/00 11:08 AM Page 347 348 Chapter 7 • Troubleshooting Windows 2000 DNS Problems server at shinder.net. Since both taccorp.net and shinder.net lie behind firewalls, the firewalls will be configured to pass VPN traffic to and from both companies. Over on the shinder.net side, we configure their intranet DNS server with a delegation for taccorp.net and the IP address of the taccorp.net DNS server. Then, we configure the routers at shinder.net to direct traffic destined for the taccorp.net network IDs to be sent to the VPN server on the shinder.net side. NAT is not required on the shinder.net side and is handled on the other side’s VPN. (See Figure 7.12.) Testing the Solution Let’s see what happens when some DNS queries are issued. Scenario 1 A client on the taccorp.net domain wants to access the Web server for the shinder.net domain. A DNS query is issued to the taccorp.net internal DNS server, which contains a referral for the shinder.net domain. The tac- corp.net DNS server queries the shinder.net DNS server through the VPN for the IP address of www.shinder.net and receives a reply, which is sent to the DNS client in the taccorp.com. The taccorp.net client then connects to the shinder.net internal Web servers at www.shinder.net via the VPN because the IP address is recognized as internal. Scenario 2 A DNS client on the shinder.net side wishes to connect to the Internet Web server for tacteam.net. A DNS query is sent to the shinder.net inter- nal DNS server. The shinder.net internal DNS server is not authoritative for the tacteam.net domain, and forwards the request to the external shinder.net DNS server. The external shinder.net DNS is not authoritative, and therefore will complete recursion by issuing iterative requests until the host name is resolved. Once the IP address is received, the external DNS server returns it to the internal DNS server, which in turn returns it to the DNS client on the shinder.net side. The shinder.net DNS client then connects to the tacteam.net via the Internet connection that is not the VPN connection, since tacteam.net is dedicated to Internet resources only. This is only one possible way you could solve this problem, but it does give you the general idea of what the potential problems are, and some ways you can address them. 91_tcpip_07.qx 2/25/00 11:08 AM Page 348 Troubleshooting Windows 2000 DNS Problems • Chapter 7 349 Figure 7.12 The joys of corporate mergers. Web Server News Server Mail Server Proxy/DNS VPN Web Mail News/DNS Web Server News Server Mail Server Proxy/DNS VPN Web Mail News/DNS Internet 91_tcpip_07.qx 2/25/00 11:08 AM Page 349 350 Chapter 7 • Troubleshooting Windows 2000 DNS Problems DNS Zone Design and Troubleshooting DNS domains are conceptual entities. They exist in a conceptual frame- work we know as the Domain Name System, but the actual resource records, such as the IP address to host name mappings, are contained within a “physical” file known as a zone file. A single zone can contain multiple contiguous domains. For example, a single zone can contain microsoft.com, dev.microsoft.com, and west.dev.microsoft.com. These domains are contiguous, meaning they lie next to each other. You could not include msn.com in the same zone, because it is not contiguous with the other domains. Figure 7.13 shows this domain arrangement. Figure 7.13 Example of contiguous and noncontiguous domains. Root DNS .net DNS .com DNS microsoft DNS msn DNS mail dev DNSwest DNS Microsoft Domains are not contiguous with the MSN domains microsoft.com zone msn.com zone Zone planning and configuration are especially important when we work with standard DNS zones rather than Active Directory integrated zones. We will talk more about Active Directory integrated zones later, but be aware that the situation we discuss here is a little different with the introduction of the Active Directory integration. The actual management of domain resources is done via adding and updating records in a DNS zone database. This database is created when 91_tcpip_07.qx 2/25/00 11:08 AM Page 350 Troubleshooting Windows 2000 DNS Problems • Chapter 7 351 you make a new zone in the Windows 2000 DNS server. Creating a new zone is easy with the Windows 2000 DNS server because a wizard guides you through the process. There’s not much of a chance of making a mis- take when you use the wizard. The zone database file is a text file that is located at: %systemroot%\system32\dns\<zone_name>.dns An example of the contents of the zone file appears in Figure 7.14. Figure 7.14 Example zone database file for blah.com. The zone database file is compatible with BIND (Berkeley Internet Name Domain) zone database files used by many UNIX-based DNS servers. In fact, you can use the DNS management console or directly edit the zone file to manage your DNS zones. We highly recommend that you use the DNS management console to avoid problems related to “clumsy fingers.” A zone is named by the topmost domain represented in a particular zone file. For example, if our zone contains the microsoft.com and the TIP 91_tcpip_07.qx 2/25/00 11:08 AM Page 351 352 Chapter 7 • Troubleshooting Windows 2000 DNS Problems dev.microsoft.com domains, then the name of the zone is the microsoft.com zone, since microsoft.com is the topmost member of the zone. If we had another zone that consisted of marketing.microsoft.com and west.marketing.microsoft.com, the name of the zone would be the marketing.microsoft.com zone, because marketing.microsoft.com is the topmost member of the zone. Standard Zones Standard zones are categorized as either Primary or Secondary. When you first create a new zone in the Windows 2000 DNS management console, you will be configuring a Primary zone. A Primary zone is the only read/write copy of the zone database. Because there is only one read/write copy of the zone database file, the Primary zone DNS server becomes a single point of failure if updates need to be made to the zone database. DNS was designed to have at least two DNS servers configured for each zone. This is for fault tolerance reasons. When a copy of a zone is maintained on another DNS server, that server is known as a Secondary DNS server. The Secondary DNS server houses a read-only copy of the zone database file. You cannot directly edit the copy of the zone database file on a Secondary DNS server. You can easily create a new zone by using the New Zone Wizard included with the Windows 2000 DNS server. After installing the DNS service on your computer, open the DNS management console. Right-click on the name of your server, and select New Zone, as seen in Figure 7.15. Just answer the wizard’s questions, and you’ve got yourself a new zone. Zones are populated with resource records. There are a number of dif- ferent resource record types. The most common resource record is the host, or A, record. This host record supplies the host name and IP address mapping for a computer within the zone. To add a new host, right-click on your new zone, select New Host, and then enter the host name and the IP address as shown in Figure 7.16. Other common resource record types you will encounter include the NS (name server), MX (Mail Exchanger), and CNAME (canonical name) records. The NS record is used to define the host names of the servers that are authoritative for a zone. This can be a Primary or Secondary DNS server NOTE 91_tcpip_07.qx 2/25/00 11:08 AM Page 352 Troubleshooting Windows 2000 DNS Problems • Chapter 7 353 for the zone. The NS record informs machines that send DNS queries to the DNS server that “I know what is true regarding this zone, and the buck stops here.” Figure 7.17 shows the Name Servers tab that appears in the domain’s Properties sheet. You can find this by right-clicking the name of one of your domains, selecting Properties, and then clicking the Name Servers tab. You can add the name and IP address of another DNS server that will be authoritative for the domain by clicking A DD. Be sure that you’ve con- figured the machine that you’re adding here as a Secondary DNS server for the zone, so that it can act as an authority for the zone. Did you notice that A DD is grayed out in Figure 7.17? That is because we took this screen shot from a machine that is a Secondary for the tacteam.net zone. Figure 7.15 Creating a new zone in the DNS management console. 91_tcpip_07.qx 2/25/00 11:08 AM Page 353 [...]... other) DNS servers Keep this in mind when troubleshooting zone transfer difficulties 91_tcpip_07.qx 2/25/00 11:08 AM Page 363 Troubleshooting Windows 2000 DNS Problems • Chapter 7 363 Figure 7.23 The Advanced tab on the DNS server’s Properties sheet Reverse Lookup Zones The type of queries we’ve been dealing with up to this point are often referred to as forward lookups A forward lookup is when you send... always update the PTR record reliably Therefore, if you are having problems with reverse lookups, check to make sure the PTR record is correct The following is an example of the contents of a reverse lookup zone database file: 91_tcpip_07.qx 2/25/00 11:08 AM Page 365 Troubleshooting Windows 2000 DNS Problems • Chapter 7 365 ; ; Database file 1. 168 .192.in-addr.arpa.dns for 1. 168 .192.in-addr.arpa zone... dynamic updates Windows 2000 DNS clients can update their own addresses and pointer records on either a standard Windows 2000 zone or a Directory integrated zone 91_tcpip_07.qx 2/25/00 11:08 AM Page 368 368 Chapter 7 • Troubleshooting Windows 2000 DNS Problems NOTE The resource records are not secure in a standard zone, and any computer claiming a name can update a resource record for a particular... lookup zone for the network ID on which the DNS server is located, and then creating a PTR record for the DNS server itself 91_tcpip_07.qx 2/25/00 11:08 AM Page 366 366 Chapter 7 • Troubleshooting Windows 2000 DNS Problems NOTE Although you are not required to create reverse lookup zones, you might find queries execute faster once you’ve put one in place If you are running any type of security or IP... QUESTIONS: 185.1. 168 .192.in-addr.arpa, type = PTR, class = IN ANSWERS: -> 185.1. 168 .192.in-addr.arpa name = constellation.tacteam.net 91_tcpip_07.qx 2/25/00 11:08 AM Page 357 Troubleshooting Windows 2000 DNS Problems • Chapter 7 357 ttl = 360 0 (1 hour) —————— Server: constellation.tacteam.net Address: 192. 168 .1.185 —————— Got answer: HEADER: opcode = QUERY, id = 2, rcode = NOERROR header flags: response, auth... did your nslookup lookups for the authoritative DNS servers for each domain 91_tcpip_07.qx 2/25/00 11:08 AM Page 371 Troubleshooting Windows 2000 DNS Problems • Chapter 7 371 5 To test this, go into your network properties and make your machine its own preferred DNS server Flush the DNS cache by issuing the ipconfig /flushdns command from the command prompt Now ping www.microsoft.com, ftp.microsoft.com,... Servers are often named 91_tcpip_07.qx 2/25/00 11:08 AM Page 3 56 3 56 Chapter 7 • Troubleshooting Windows 2000 DNS Problems Figure 7.18 The New Resource Record MX dialog box based on the services they provide, such as “ftp,” “www,” and “mail” for an FTP server, Web server, and Mail server, respectively Figure 7.19 shows the add CNAME record Properties sheet In this example, EXETER is a machine on the... every phone number in the book and hope to be lucky and find that it’s one in the front of the book (assuming that we start looking in the front first) 91_tcpip_07.qx 2/25/00 11:08 AM Page 364 364 Chapter 7 • Troubleshooting Windows 2000 DNS Problems This clearly isn’t a very efficient method to search the IP address namespace At one time, inverse lookups were used to trawl the IP addresses namespace,... successfully performed a WINS referral, the returned answer would be Excalibur.west.tacteam.net 91_tcpip_07.qx 2/25/00 11:08 AM Page 3 76 3 76 Chapter 7 • Troubleshooting Windows 2000 DNS Problems Figure 7. 26 DNS client configuration of DNS suffixes appended to unqualified requests By disabling WINS lookups from all zones except the wins.tacteam.net zone, all queries that are resolved via a WINS lookup will... limitations and issues that can crop up 91_tcpip_07.qx 2/25/00 11:08 AM Page 377 Troubleshooting Windows 2000 DNS Problems • Chapter 7 377 WINS and WINS-R Incompatibility with BIND Servers If you have zones that employ WINS and WINS-R resolution, you may have problems with zone transfer to DNS servers that do not support the WINS and WINS-R resource records BIND DNS servers do not support these resource records . Internet presence and corporate intranets. 91_tcpip_07.qx 2/25/00 11:08 AM Page 345 3 46 Chapter 7 • Troubleshooting Windows 2000 DNS Problems The Problem: Corporate Merger The first company is. the domain Properties sheet. TIP 91_tcpip_07.qx 2/25/00 11:08 AM Page 355 3 56 Chapter 7 • Troubleshooting Windows 2000 DNS Problems based on the services they provide, such as “ftp,” “www,” and. Keep this in mind when troubleshooting zone transfer difficulties. WARNING 91_tcpip_07.qx 2/25/00 11:08 AM Page 362 Troubleshooting Windows 2000 DNS Problems • Chapter 7 363 Reverse Lookup Zones The