Interview Question for active directory and exchange

DNS in Windows 2000

Introduction

Active Directory is tightly coupled with the Domain Name System (DNS). Both clients and domain controllers use DNS to locate domain controllers in a particular site or that serve a particular function. Each domain controller requires numerous resource records to be present in DNS so it can advertise its services as a domain controller, global catalog server, PDC Emulator, etc. For a detailed description of each of these records plus much more on DNS, see Chapter 6 in Active Directory, Second Edition (O'Reilly).

One of the innovative uses of Active Directory is as a store of DNS data. Instead of using the antiquated primary and secondary zone transfer method or even the more recent NOTIFY method (RFC 1996) to replicate zone data between servers, AD-integrated zones store the zone data in Active Directory and use the same replication process used to replicate other data between domain controllers. The one catch with AD-integrated zones is that the DNS server must also be a domain controller. Overloading DNS server responsibilities on your domain controllers may not be something you want to do if you plan on supporting a large volume of DNS requests.

The Anatomy of a DNS Object

The only time DNS data is stored in Active Directory is if you have a zone that is AD-integrated. When using standard primary and secondary zones that are not AD-integrated, the DNS data is stored locally in the file system of each DNS server in zone files. If you have an AD-integrated zone under Windows 2000, a container is created in the following location: cn=,cn=MicrosoftDNS,cn=System,, where is the name of the zone. For Windows Server 2003, you can use application partitions to store DNS data in an alternate location. By default, there are three options:

<>· <>Store DNS data on all domain controllers in a domain (only option for Windows 2000).

<>· <>Store DNS data on all domain controllers that are DNS servers in the domain.

<>· <>Store DNS data on all domain controllers that are DNS servers in the forest.

The default location for the second option is dc=DomainDNSZones, and for the third option, it is dc=ForestDNSZones,. These two locations are actually application partitions that are replicated only to the domain controllers that are DNS servers in the domain or forest, respectively.

Inside the MicrosoftDNS container, is a dnsZone object for each AD-integrated zone. Inside of the dnsZone container are dnsNode objects, which stores all resource records associated with a particular node. In the following textual representation of an A record, the dc1.rallencorp.com name is considered a node (generally the left side of the resource record).

dc1.rallencorp.com. 600 IN A 6.10.57.21

There could be multiple resource records associated with the dc1.rallencorp.com name, so Microsoft decided to implement each distinct name as a dnsNode object. The dnsNode object has a dnsRecord attribute, which is multivalued and contains all of the resource records associated with that node. Unfortunately, the contents of that attribute are stored in a binary format and are not directly readable.

Table 13-1 and Table 13-2 contain some of the interesting attributes that are available on dnsZone and dnsNode objects, respectively.

Table 13-1. Attributes of dnsZone objects
Attribute	Description
Dc	Relative distinguished name of the zone.
dnsProperty	Binary formatted string that stores configuration information about the zone.
msDS-Approx-Immed-Subordinates	Approximate number of nodes contained within the zone. This is new to Windows Server 2003.

Table 13-2. Attributes of dnsNode objects
Attribute	Description
dc	Relative distinguished name of the node.
dnsRecord	Binary formatted multivalued attribute that stores the resource records associated with the node.
dnsTombstoned	Boolean that indicates whether the node is marked for deletion. FALSE means it is not and TRUE means that it is.

1 Creating a Forward Lookup Zone

13.1.1 Problem

You want to create a forward lookup zone. A forward lookup zone maps names to IP addresses or other names.

13.1.2 Solution

13.1.2.1 Using a graphical user interface

<>1. <>Open the DNS Management snap-in.

<>2. <>If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK.

<>3. <>Expand the server in the left pane and click on Forward Lookup Zones.

<>4. <>Right-click on Forward Lookup Zones and select New Zone.

<>5. <>Click Next.

<>6. <>Select the zone type and click Next.

<>7. <>If you selected to store the zone data in Active Directory, next you will be asked which servers you want to replicate the DNS data to. Click Next after you make your selection. (This only applies for Windows Server 2003).

<>8. <>Enter the zone name and click Next.

<>9. <>Fill out the information for the remaining screens. They will vary depending on if you are creating a primary, secondary, or stub zone.

13.1.2.2 Using a command-line interface

The following command creates an AD-Integrated zone:

> dnscmd <DNSServerName> /zoneadd <ZoneName> /DsPrimary

2 Creating a Reverse Lookup Zone

13.2.1 Problem

You want to create a reverse lookup zone. A reverse lookup zone maps IP addresses to names.

13.2.2 Solution

13.2.2.1 Using a graphical user interface

<>1. <>Open the DNS Management snap-in.

<>2. <>If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK.

<>3. <>Expand the server in the left pane and click on Reverse Lookup Zones.

<>4. <>Right-click on Reverse Lookup Zones and select New Zone.

<>5. <>Click Next.

<>6. <>Select the zone type and click Next.

<>7. <>If you selected to store the zone data in Active Directory, next you will be asked which servers you want to replicate the DNS data to. Click Next after you make your selection. (This only applies for Windows Server 2003).

<>8. <>Type the Network ID for the reverse zone or enter a reverse zone name to use.

<>9. <>Fill out the information for the remaining screens. They will vary depending on if you are creating a primary, secondary, or stub zone.

13.2.2.2 Using a command-line interface

The following command creates an AD-integrated reverse zone:

> dnscmd <DNSServerName> /zoneadd <ZoneName> /DsPrimary

3 Viewing a Server's Zones

13.3.1 Problem

You want to view the zones on a server.

13.3.2 Solution

13.3.2.1 Using a graphical user interface

<>1. <>Open the DNS Management snap-in.

<>2. <>Right-click on DNS in the left pane and select Connect to DNS Server.

<>3. <>Enter the server you want to connect to and click Enter.

<>4. <>In the left pane, expand the server and click Forward Lookup Zones and Reverse Lookup Zones to view the supported zones.

13.3.2.2 Using a command-line interface

> dnscmd <DNSServerName> /enumzones

13.3.2.3 Using VBScript

' This code lists the zones that are supported by the specified server.

' ------ SCRIPT CONFIGURATION ------

strServer = "<DNSServerName>"  ' e.g. dc1.rallencorp.com

' ------ END CONFIGURATION ---------

set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")

set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")

set objZones = objDNS.ExecQuery("Select * from MicrosoftDNS_Zone " & _

                                "Where DnsServerName = '" & _

                                objDNSServer.Name & "'") 

WScript.Echo "Zones on " & objDNSServer.Name

for each objZone in objZones

   WScript.Echo " " & objZOne.Name

next

13.3.3 Discussion

13.3.3.1 Using a graphical user interface

When you click on either the Forward Lookup Zones or Reverse Lookup Zones in the left pane, the right pane contains a Type column that displays the zone type for each zone.

13.3.3.2 Using a command-line interface

When using the /enumzones switch without any more parameters, it displays all zones on the server. You can specify additional filters that limit the types of zones returned. With the Windows 2000 version of dnscmd, you can specify up to two filters:

Filter1:

    /Primary

    /Secondary

    /Cache

    /Auto-Created

Filter2:

    /Forward

    /Reverse

With the Windows Server 2003 version of dnscmd, the filter behavior has changed. Instead of having two levels of criteria you can specify one or more of the following:

/Primary

/Secondary

/Forwarder

/Stub

/Cache

/Auto-Created

/Forward

/Reverse

/Ds

/File

/DomainDirectoryPartition

/ForestDirectoryPartition

/CustomDirectoryPartition

/LegacyDirectoryPartition

/DirectoryPartition 

4 Converting a Zone to an AD-Integrated Zone

13.4.1 Problem

You want to convert a primary zone to an AD-integrated zone. This causes the contents of the zone to be stored and replicated in Active Directory instead of in a text file.

13.4.2 Solution

13.4.2.1 Using a graphical user interface

<>1. <>Open the DNS Management snap-in.

<>2. <>Right-click on DNS in the left pane and select Connect to DNS Server.

<>3. <>Enter the server you want to connect to and click Enter.

<>4. <>If you want to convert a forward zone, expand the Forward Lookup Zone folder. If you want to convert a reverse zone, expand the Reverse Lookup Zone folder.

<>5. <>Click on the zone you want to convert, then right-click it and select Properties.

<>6. <>Beside Type, click the Change button.

<>7. <>Check the box beside Store the zone in Active Directory.

<>8. <>Click OK twice.

13.4.2.2 Using a command-line interface

> dnscmd <ServerName> /zoneresettype <ZoneName> /DsPrimary

5 Moving AD-Integrated Zones into an Application Partition

<><> This recipe requires the Windows Server 2003 domain functional level.

13.5.1 Problem

You want to move AD-integrated zones into an application partition.

13.5.2 Solution

13.5.2.1 Using a graphical user interface

<>1. <>Open the DNS Management snap-in.

<>2. <>If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK.

<>3. <>Expand the server in the left pane and expand either Forward Lookup Zones or Reverse Lookup Zones depending on the type of zone.

<>4. <>Click on the name of the zone.

<>5. <>Right-click on the zone and select Properties.

<>6. <>Click on the Change button beside Replication.

<>7. <>Select the application partition you want to move the zone into.

<>8. <>Click OK twice.

13.5.2.2 Using a command-line interface

The following command will move a zone to the default application partition that replicates across all domain controllers that are DNS servers in the domain:

> dnscmd  /zonechangedirectorypartition <ZoneName> /domain

6 Delegating Control of a Zone

13.6.1 Problem

You want to delegate control of managing the resource records in a zone.

13.6.2 Solution

13.6.2.1 Using a graphical user interface

<>1. <>Open the DNS Management snap-in.

<>2. <>If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK.

<>3. <>Expand the server in the left pane and expand either Forward Lookup Zones or Reverse Lookup Zones depending on the type of zone.

<>4. <>Click on the name of the zone.

<>5. <>Right-click on the zone and select Properties.

<>6. <>Click on the Security tab.

<>7. <>Click the Add button.

<>8. <>Use the Object Picker to locate the user or group to which you want to delegate control.

<>9. <>Under Permissions, check the Full Control box.

<>10. <>Click OK.

13.6.2.2 Using a command-line interface

The following command grants full control over managing the resource records in an AD-Integrated zone:

> dsacls dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN> /G[RETURN]

 <UserOrGroup>:GA;;

7 Creating and Deleting Resource Records

13.7.1 Problem

You want to create and delete resource records.

13.7.2 Solution

13.7.2.1 Using a graphical user interface

<>1. <>Open the DNS Management snap-in.

<>2. <>If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK.

<>3. <>If you want to add or delete a record in a forward zone, expand the Forward Lookup Zone folder. If you want to add or delete a record for a reverse zone, expand the Reverse Lookup Zone folder.

To create a resource record, do the following:

<>4. <>In the left pane, right-click the zone and select the option that corresponds to the record type you want to create—e.g., New Host (A).

<>5. <>Fill in all required fields.

<>6. <>Click OK.

To delete a resource record, do the following:

<>7. <>In the left pane, click on the zone the record is in.

<>8. <>In the right pane, right-click on the record you want to delete and select Delete.

<>9. <>Click Yes to confirm.

13.7.2.2 Using a command-line interface

To add a resource record, use the following command:

> dnscmd <DNSServerName> /recordadd <ZoneName> <NodeName> <RecordType> <RRData>

The following command adds an A record in the rallencorp.com zone:

> dnscmd dc1 /recordadd rallencorp.com wins01 A 19.25.52.2.25

To delete a resource record, use the following command:

> dnscmd <DNSServerName> /recorddelete <ZoneName> <NodeName> <RecordType> <RRData>

The following command deletes an A record in the rallencorp.com zone:

> dnscmd dc1 /recorddelete rallencorp.com wins01 A 19.25.52.2.25

8 Querying Resource Records

13.8.1 Problem

You want to query resource records.

13.8.2 Solution

13.8.2.1 Using a graphical user interface

The DNS Management snap-in does not provide an interface for searching resource records.

13.8.2.2 Using a command-line interface

In the following command, replace with the type of resource record you want to find (e.g., A, CNAME, SRV) and with the name or IP address of the record to match:

> nslookup -type=<RecordType> <RecordName>

13.8.2.3 Using VBScript

' This code prints the resource records that match

' the specified name

' ------ SCRIPT CONFIGURATION ------

strQuery = "<RecordName>"

' ------ END CONFIGURATION ---------

set objDNS = GetObject("winMgmts:root\MicrosoftDNS")

set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")

set objRRs = objDNS.ExecQuery(" select * " & _

                              " from MicrosoftDNS_ResourceRecord" & _

                              " where  OwnerName = """ & strQuery & """" & _

                              " Or  DomainName = """ & strQuery & """" & _

                              " Or RecordData = """ & strQuery & """")

if objRRs.Count <>
   WScript.Echo "No matches found for " & strHostName & " of " _ 
                & strRecordType & " type"
else
   for each objRR in objRRs
      WScript.Echo objRR.TextRepresentation
   next
end if
  
13.8.3 Discussion
  
13.8.3.1 Using a command-line interface
  
You can leave off the -type switch and the command will find any A, PTR, and CNAME records that match . You can also run nslookup from interactive mode, which can be entered by typing nslookup at a command prompt with no additional parameters.
  
9 Modifying the DNS Server Configuration
  
13.9.1 Problem
  
You want to modify the DNS Server settings.
  
13.9.2 Solution
  
13.9.2.1 Using a graphical user interface
  
<>1.      <>Open the DNS Management snap-in.
  
<>2.      <>If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK.
  
<>3.      <>Click on the server, right-click on it, and select Properties.
  
<>4.      <>There will be several tabs you can choose from to edit the server settings.
  
<>5.      <>Click OK to commit the changes after you've completed your modifications.
  
13.9.2.2 Using a command-line interface
  
With the following command, replace  with the name of the setting to modify and  with the value to set:
  
> dnscmd <DNSServerName> /config  /<Setting> <Value>
 
  
10 Scavenging Old Resource Records
  
13.10.1 Problem
  
You want to scavenge old resource records. DNS scavenging is the process whereby resource records are automatically removed if they are not updated after a period of time. Typically, this applies to only resource records that were added via DDNS, but you can also scavenge manually added, also referred to as static, records. DNS scavenging is a recommended practice so that your DNS zones are automatically kept clean of stale resource records.
  
13.10.2 Solution
  
The following solutions will show how to enable automatic scavenging on all AD-integrated zones.
  
13.10.2.1 Using a graphical user interface
  
<>1.      <>Open the DNS Management snap-in.
  
<>2.      <>If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK.
  
<>3.      <>Click on the server, right-click on it, and select Set Aging/Scavenging for all zones.
  
<>4.      <>Check the box beside Scavenge stale resource records.
  
<>5.      <>Configure the No-Refresh and Refresh intervals as necessary and click OK.
  
<>6.      <>Check the box beside Apply these settings to the existing Active Directory-integrated zones and click OK.
  
<>7.      <>Right-click on the server again and select Properties.
  
<>8.      <>Select the Advanced tab.
  
<>9.      <>Check the box beside Enable automatic scavenging of stale resource records.
  
<>10.  <>Configure the scavenging period as necessary.
  
<>11.  <>Click OK.
  
13.10.2.2 Using a command-line interface
  
> dnscmd <DNSServerName> /config /ScavengingInterval <ScavengingMinutes>
> dnscmd <DNSServerName> /config /DefaultAgingState 1
> dnscmd <DNSServerName> /config /DefaultNoRefreshInterval <NoRefreshMinutes>
> dnscmd <DNSServerName> /config /DefaultRefreshInterval <RefreshMinutes>
> dnscmd <DNSServerName> /config ..AllZones /aging 1
 
  
11 Clearing the DNS Cache
  
13.11.1 Problem
  
You want to clear the DNS cache. The DNS cache contains resource records that are cached for a period of time in memory so that repeated requests for the same record can be returned immediately. There are two types of DNS cache. One pertains to the resolver on any Windows client (servers and workstations), and the other to the cache used by the Microsoft DNS server.
  
13.11.2 Solution
  
To flush the client resolver cache, use the following command:
  
> ipconfig /flushdns
  
To flush the DNS server cache, use any of the following solutions.
  
13.11.2.1 Using a graphical user interface
  
<>1.      <>Open the DNS Management snap-in.
  
<>2.      <>Right-click on DNS in the left pane and select Connect to DNS Server.
  
<>3.      <>Enter the server you want to connect to and click Enter.
  
<>4.      <>Right-click on the server and select Clear Cache.
  
13.11.2.2 Using a command-line interface
  
The following command will clear the cache on . You can leave out  to run against the local server:
  
> dnscmd <DNSServerName> /clearcache
 
  
12 Verifying That a Domain Controller Can Register Its Resource Records
  
13.12.1 Problem
  
You want to verify DNS is configured correctly so that a domain controller can register its resource records, which are needed for clients to be able to locate various AD services.
  
13.12.2 Solution
  
13.12.2.1 Using a command-line interface
  
  
  
   
   
    
     
     
<><>
     
     
     
This test is available only with the Windows Server 2003     version of dcdiag.
     
    
   
   
   
  
 
  
  
With the following dcdiag command, replace dc1 with the DNS name of the domain the domain controller is in. This command has to be run directly on the domain controller you want to test.
  
> dcdiag /test:RegisterInDNS /DnsDomain:dc1
 
   Starting test: RegisterInDNS
      DNS configuration is sufficient to allow this domain controller to
      dynamically register the domain controller Locator records in DNS.
 
      The DNS configuration is sufficient to allow this computer to dynamically
      register the A record corresponding to its DNS name.
 
      ......................... dc1 passed test RegisterInDNS
  
13 Registering a Domain Controller's Resource Records
  
13.13.1 Problem
  
You want to manually force registration of a domain controller's resource records. This may be necessary if you've made some configuration changes on your DNS servers to allow your domain controllers to start dynamically registering resource records.
  
13.13.2 Solution
  
13.13.2.1 Using a command-line interface
  
> nltest /dsregdns /server:<DomainControllerName>
 
  
14 Preventing a Domain Controller from Dynamically Registering All Resource Records
  
13.14.1 Problem
  
You want to prevent a domain controller from dynamically registering its resource records using DDNS. If you manually register domain controllers' resource records, you'll want to prevent those domain controllers from attempting to dynamically register them. If you do not disable them from sending dynamic update requests, you may see annoying error messages on your DNS servers that certain DDNS updates are failing.
  
13.14.2 Solution
  
13.14.2.1 Using a command-line interface
  
> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v[RETURN]
UseDynamicDNS /t REG_DWORD /d 0
The operation completed successfully.
 
> net stop netlogon
The Net Logon service is stopping.
The Net Logon service was stopped successfully.
 
> del %SystemRoot%\system32\config\netlogon.dnb
 
> net start netlogon
The Net Logon service is starting.......
The Net Logon service was started successfully.
 
  
15 Preventing a Domain Controller from Dynamically Registering Certain Resource Records
  
13.15.1 Problem
  
You want to prevent a domain controller from dynamically registering certain resource records. It is sometimes advantageous to prevent certain resource records from being dynamically registered. For example, if you want to reduce the load on the PDC Emulator for a domain, you could prevent some of its SRV records from being published, which would reduce the amount of client traffic the server receives.
  
13.15.2 Solution
  
13.15.2.1 Using a command-line interface
  
This command will disable the Ldap, Gc, and GcIpAddress resource records from being dynamically registered:
  
> reg add HKLM\System\CurrentControlSet\Services\Netlogon\Parameters /v[RETURN]
 DnsAvoidRegisterRecords /t REG_MULTI_SZ /d Ldap\0Gc\0GcIpAddress
The operation completed successfully.
 
> net stop netlogon
The Net Logon service is stopping.
The Net Logon service was stopped successfully.
 
> del %SystemRoot%\system32\config\netlogon.dnb
 
> net start netlogon
The Net Logon service is starting.......
The Net Logon service was started successfully.
 
  
16 Deregistering a Domain Controller's Resource Records
  
13.16.1 Problem
  
You want to manually deregister a domain controller's resource records.
  
13.16.2 Solution
  
13.16.2.1 Using a command-line interface
  
With the following nltest command, replace  with the FQDN of the domain controller you want to deregister and  with the FQDN of the domain of which the domain controller is a member:
  
> nltest /dsderegdns:<DomainControllerName> /Dom:<DomainDNSName>
 
 
  
17 Allowing Computers to Use a Different Domain Suffix from Their AD Domain
  
13.17.1 Problem
  
You want to allow computers to use a different domain suffix than their AD domain.
  
13.17.2 Solution
  
  
  
   
   
    
     
     
<><>
     
     
     
The following solutions work only for Windows Server 2003     domains. Read the Discussion for a workaround for Windows 2000.
     
    
   
   
   
  
 
  
  
13.17.2.1 Using a graphical user interface
  
<>1.      <>Open ADSI Edit.
  
<>2.      <>Connect to the domain you want to edit.
  
<>3.      <>Right-click on the domainDNS object and select Properties.
  
<>4.      <>Edit the msDS-AllowedDNSSuffixes attribute and enter the DNS suffix you want to add.
  
<>5.      <>Click OK.
  
13.17.2.2 Using a command-line interface
  
Create an LDIF file called add_dns_suffix.ldf with the following contents:
  
dn: <DomainDN>
changetype: modify
add: msDS-AllowedDNSSuffixes
msDS-AllowedDNSSuffixes: <DNSSuffix>
-
  
then run the following command:
  
> ldifde -v -i -f add_dns_suffix.ldf.ldf