Using the esentutl Command Although all of the operations covered previously in this section used the Ntdsutil command-line utility, most actually performed their work by calling the Esentutl command. ESENT (Extensible Storage Engine for NT) is one of the acronyms used to refer to the ESE database system that Active Directory uses.The Esentutl command is the maintenance command that is associated with this database system. Because Microsoft prefers that you use the Ntdsutil command for all low-level database maintenance operations, they built calls to most of the major Esentutl operations into it. However, you do not have to use Ntdsutil to perform these operations.The following are two of the commands from earlier in the chapter with their associated Esentutl command-line arguments: ■ Integrity %SYSTEMROOT% \System32\esentutl.exe /g “C:\Windows\NTDS\ntds.dit” /o ■ Recover %SYSTEMROOT%\System32\esentutl.exe /redb /l”C:\Windows\NTDS” /s “C:\WINNT\NTDS” /8 /o The esentutl.exe command used in conjunction with the /p switch, shown in Figure 19.19, is considered the most dangerous of all the low-level database commands. In Windows 2000, this com- mand was available as the repair option in Ntdsutil, and has been removed in the version of Ntdsutil that ships with Windows Server 2003.This option performs a very low-level and highly invasive binary database repair operation. It is very likely that you will lose some data when using this option, and it is highly possible that it will be data essential to your Active Directory database. You should use this command with the /p switch only when you have been advised to do so by Microsoft support personnel, or when you feel that you have tried everything else to get Active Directory to initialize. Always make a backup of your database file before you run this utility. In most cases, you will be resorting to this option when Active Directory can no longer initialize, and you will be booted to Directory Services Restore Mode.The simplest way to back up the database and related components in this scenario is to copy them to a second location in the file system, using Windows Explorer. If Active Directory can initialize and you still feel you should (or Microsoft tech support asks you to) run this command, you must boot into Directory Services Restore Mode first.The database must be offline for low-level operations such as this. Microsoft recommends running a semantic database analysis after this command has completed successfully.To use the repair command, enter the following at a command prompt: %SYSTEMROOT%\system32\esentutl.exe /p “C:\Windows\NTDS\ntds.dit” /!10240 /8 /o 656 Chapter 19 • Ensuring Active Directory Availability 301_BD_W2k3_19.qxd 5/12/04 2:21 PM Page 656 Changing the Directory Services Restore Mode Password Because the Directory Services Restore Mode password is set during the installation of Active Directory, administrators often have difficulty remembering the password that was used when it is needed later. Fortunately, there is a way to change this password without having to remember what it was originally: by using the Ntdsutil command-line utility.To use this feature, the server on which you want to change the password cannot be running in Directory Services Restore Mode. Ntdsutil can be used to change the password on the DC locally, or another DC within the forest.To change the Directory Services Restore Mode password, follow these steps: 1. Open a command prompt. 2. Type ntdsutil to enter the Ntdsutil utility.This is a command-line utility, so the com- mand prompt will change to ntdsutil:. 3. Type Set DSRM Password. 4. At the Reset DSRM Administrator Password: prompt, type Reset Password on server <SERVER NAME>. 5. At the Please type password for DS Restore Mode Administrator Account: prompt, type the new password that you want to use. 6. At the Please confirm new password: prompt, re-type the new password that you want to use. 7. Review the feedback on the screen to ensure that the operation was successful. Figure 19.20 shows the full procedure. Ensuring Active Directory Availability • Chapter 19 657 Figure 19.19 The esentutl Repair Process 301_BD_W2k3_19.qxd 5/12/04 2:21 PM Page 657 8. Type quit or q to return to the ntdsutil: prompt. 9. Type quit or q again to exit the utility. 10. Close the command prompt window. 658 Chapter 19 • Ensuring Active Directory Availability Figure 19.20 Using Ntdsutil to Reset the DSRM Password on a Server 301_BD_W2k3_19.qxd 5/12/04 2:21 PM Page 658 Planning, Implementing, and Maintaining a Name Resolution Strategy In this chapter:  Planning for Host Name Resolution  Planning for NetBIOS Name Resolution  Troubleshooting Name Resolution Issues Introduction In this chapter, you’ll learn how to plan for the best way of resolving host and NetBIOS names on your network. We’ll discuss issues involved in designing a DNS namespace, such as choosing the parent domain name, the conventions and limitations that govern host names, the relationship of DNS and Active Directory (AD), and how to support multiple namespaces. Then we move onto planning DNS server deployment.You’ll find out how to con- sider factors such as the number of servers, server roles, server capacity, and server place- ment. We’ll also show you how to plan for zone replication between your DNS servers, and we’ll address planning for forwarding and how DNS interacts with the Dynamic Host Configuration Protocol (DHCP) on a Windows Server 2003 network. We’ll dis- cuss Windows Server 2003 DNS server interoperability with Berkeley Internet Name Domain (BIND) and other non-Windows DNS implementations.You’ll learn about zone transfers between Windows Server 2003 DNS servers and BIND servers, and we’ll discuss supporting AD with BIND.You’ll learn about split DNS configurations and how interoperability relates to other services such as Windows Internet Name Service (WINS) and DHCP. Next, we’ll address DNS security issues, including common DNS threats such as footprinting, redirection, and DNS denial-of-service (DoS) attacks.You’ll learn how to best secure your DNS deployment by using a split namespace and packet filtering. We’ll discuss how to determine the best DNS security level for your network. Next, we’ll look at DNS performance issues. We’ll show you how to monitor DNS server performance and how to analyze DNS server tests. Chapter 20 659 301_BD_W2k3_20.qxd 5/24/04 9:10 AM Page 659 In the next section, you’ll find out what’s new for WINS in Windows Server 2003, and we’ll show you how to plan WINS server deployment and WINS replication. We’ll walk you through the process of configuring WINS replication partnerships, including push-only, pull-only, and push/pull configurations. We’ll also discuss common WINS issues, including configuration, performance, and security issues. We’ll show you how to plan for WINS database backup and how to troubleshoot name resolution problems related to both host names and NetBIOS names. Planning for Host Name Resolution One of the most common sources of trouble on any Windows network—whether it’s a Windows NT, Windows 2000, or Windows Server 2003 network—is faulty name resolution. When name res- olution (the process of finding the IP addresses associated with computer names and services run- ning on those computers) is not working perfectly, a multitude of problems can arise, including (but not limited to) the following: ■ Users might not be able to log on to the network. ■ Users might not be able to connect to applications and services residing on remoter com- puters. ■ Domain controllers might not be able to communicate with each other. In fact, problems with name resolution are so common that a typical first step in trou- bleshooting problems on a Windows network is to ensure that name resolution is working flawlessly. A common mantra that reflects this situation is the following:“The problem is irrelevant.The answer is DNS.”Although this is a gross oversimplification of the problems that can arise on a Windows network, it does contain a germ of truth. Planning for host name resolution on a Windows Server 2003 network means developing and implementing a fault-tolerant and secure strategy, whereby host computers on the network are always able to resolve computer names to IP addresses and locate services running on the network in a timely manner. On a Windows Server 2003 network, the primary mechanism for locating the domain controllers is host name resolution through DNS. DNS Name Resolution Process Distributing DNS Resource Records (RRs) among many different zones and domains has an effect on the name resolution process that needs to occur for a DNS client to find a host name-to-IP address mapping. Let’s take the example of a client trying to connect to www.research.microsoft.com.The DNS client is configured to use another DNS server to perform recursion on its behalf. (Performing recursion simply means that the DNS server will issue iterative queries to other DNS servers and accept referrals from these servers, until it receives a positive or a negative response, and then forward that response to the DNS client.) The DNS client issues a recur- sive query to the DNS server; the DNS server subsequently issues a series of iterative queries to resolve the name. Figure 20.1 shows the process that occurs in order to resolve www.research.microsoft.com to the IP address. 660 Chapter 20 • Planning, Implementing, and Maintaining a Name Resolution Strategy 301_BD_W2k3_20.qxd 5/24/04 9:10 AM Page 660 The process of recursion begins with the contacting of the root DNS servers, which are author- itative for the top-level domain on the Internet.To find these authoritative servers, the DNS server will consult its root hints file, which is a list of RRs that provides information about the name servers that are authoritative for the top-level domain on the Internet. Windows 2000 and Windows Server 2003 servers will automatically install this file when you install the DNS service on your server, in most circumstances.You can also get the most current version of this file from ftp://rs.internic.net/domain/named.root. Note that the root hints file is present on the DNS server only if the DNS server has not itself been configured with a root, or ., zone. If this zone is present on your DNS server, it means that this server is the highest level of authority for the root domain, and the server will not be able to per- form DNS queries on the Internet. If you use the Dcpromo utility to install and configure the DNS server as a prerequisite for installing a domain controller, that utility will automatically configure the DNS server with the . zone. If you wish to use the root hints file on this server to perform recur- sion on the Internet, you will need to first delete the . zone from the DNS server. This recursion process assumes that no information about the FQDN for www.research.microsoft.com is cached on either the DNS client or dns1. However, over a period of time, dns1 would cache information about the domain namespace and would learn the IP addresses of authoritative name servers for domains and hosts on the Internet, thereby eliminating steps and speeding up the process of name resolution. But even without cached information, DNS host name resolution is very efficient, because it will normally use small UDP packets (512 bytes), unless the response is too large to be contained in a single UDP packet; in which case,TCP will be used. Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 20 661 Figure 20.1 DNS Server Issuing Iterative Queries to Resolve an IP Address on Behalf of a DNS Client 3 dns1.shinder.net queries .com DNS server. The .com replies with IP address of ns1.microsoft.com 2 dns1.shinder.net queries Root DNS server. Root replies with IP address of .com DNS server DNS Client dns1.shinder.net .com DNS Server Root DNS Server ns1.microsoft.com ns1.research.microsoft.com 4 dns1.shinder.net queries ns1.microsoft.com. Server replies with IP address of ns1.research.microsoft.com 1 DNS client sends recursive query to dns1.shinder.net for IP address of www.research.microsoft.com 6 DNS client receives response after dns1.shinder.net performs iterative queries 5 dns1.shinder.net queries ns1.research.microsoft.com. Server replies with IP address of www.research.microsoft.com 301_BD_W2k3_20.qxd 5/24/04 9:10 AM Page 661 In our example, three kinds of common responses to DNS queries are used: ■ An authoritative answer This means that a response is sent from a server that is author- itative for the record of domain. ■ A referral answer This means that an answer was sent back to the DNS requester that contained information not originally requested to provide hints to find the answer. For example, if the request is for an A RR, the DNS server might return a CNAME or an NS record in response to the query to help the requester find the answer. ■ A positive answer This means that a positive response to the query is sent to the requester. A fourth possible response is a negative answer.This means that the authoritative server does not have a record for the queried name or that it does have a record for the queried name, but for a dif- ferent RR type than specified in the query. Regardless of the answer that is returned, the results are cached so that subsequent DNS queries can be answered with nonauthoritative responses from name servers that contain the cached infor- mation. With the exception of a negative answer, the results are cached according to the value speci- fied for the minimum TTL in the authoritative zone’s SOA RR; that is, the authoritative name server controls the TTL of the RR for cached records on DNS requesters. In the case of a negative response, this information is also cached for a period of five minutes by default to prevent unneces- sary consumption of resources if the name is queried again.The period for caching negative responses is relatively short, to allow the query to be resolved if the RR becomes available in the future. Negative caching is a DNS standard that is documented in RFC 2308. It is possible to set up caching-only DNS servers.These are DNS servers that contain no zone information and function only to provide support for the recursion process for DNS clients. We will discuss the various DNS server roles later in this chapter. Forward versus Reverse Lookup Zones In most of the preceding discussion, we have focused on forward lookup zones.These are DNS data files that provide answers to forward queries that ask for the IP address of a particular FQDN. However, reverse lookup zones are also widely used to provide answers to reverse queries that ask for the FQDN of a particular IP address. For example, if you wanted to find the FQDN associated with a particular IP address, you would perform a reverse lookup against a reverse lookup zone. To handle reverse lookups, a special root domain called in-addr.arpa was created. Subdomains within the in-addr.arpa domain are created using the reverse ordering of the octets that form an IP address. In order for reverse lookup zones to work properly, they use a special RR called a PTR record, which provides the mapping of the IP address in the zone to the FQDN. Reverse lookup zones are used by certain applications, such as NSLookup (an important diag- nostic tool that should be part of every DNS administrator’s arsenal). If a reverse lookup zone is not configured on the server to which NSLookup is pointing, you will get an error message when you invoke the nslookup command. 662 Chapter 20 • Planning, Implementing, and Maintaining a Name Resolution Strategy 301_BD_W2k3_20.qxd 5/24/04 9:10 AM Page 662 Install Windows Server 2003 DNS Service and Configure Forward and Reverse Lookup Zones This procedure assumes that a single Windows Server 2003 server is installed as a stand-alone server and is not a member of any domain. Before you install the DNS service, you might wish to ensure that the domain name in the FQDN for the computer name matches the domain name of the DNS forward lookup zone you plan to install. It is not a requirement that the domain name of the FQDN and the DNS forward lookup zone match. However, if they do match, you will find that Windows Server 2003 adds the appropriate records to the forward lookup zone for the DNS server.To change the FQDN for the computer, follow these steps: 1. On the Windows Server 2003 desktop, right-click the My Computer icon and select Properties from the context menu. 2. Select the Computer Name tab, and then click the Change button. 3. In the Computer Name Changes property pages, click the More button. 4. In the DNS Suffix and NetBIOS Computer Name property page, change the pri- mary DNS suffix to tacteam.local (or a name of your own choosing) and click OK. Reboot the computer when prompted. Another prerequisite for installing DNS is that your TCP/IP properties should be configured with a static IP address and the primary DNS settings should be configured to point to the address of the computer on which you are installing DNS.To configure TCP/IP properties, follow these steps: 1. On the Windows Server 2003 desktop, right-click the My Network Places icon and select Properties from the context menu. 2. In the Network Connections folder, right-click the Local Area Connection icon and select Properties from the context menu. 3. Highlight TCP/IP, and then select Properties. 4. In the TCP/IP properties page, configure a static IP address, and then configure the pri- mary DNS server settings to point to the IP address of the server. (For the examples in this chapter, we are using addresses on the 192.168.100.0/24 network.) After you have configured your computer with the appropriate FQDN and IP address, you can install the DNS service.There are a couple of ways you can do this.You can install the DNS service through the Manage Your Server page that appears when you first log on to your Windows Server 2003 computer, or you can install the service through Control Panel | Add/Remove Programs | Windows Components. In this example, we will install the service through Control Panel.To install the DNS service, follow these steps: 1. Select Start | Control Panel | Add or Remove Programs. 2. Select Add/Remove Windows Components. Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 20 663 301_BD_W2k3_20.qxd 5/24/04 9:10 AM Page 663 3. In the Windows Component Wizard dialog box, scroll down the list of Windows compo- nents, highlight Networking Services, and then click Details. 4. In the Networking Services dialog box, click Domain Name System (DNS) to place a check mark in its box, and then click OK. 5. If prompted, insert the Windows Server 2003 source CD to provide the installation files for the DNS service, or enter the name of a network path to the installation files. The DNS service is now installed on your Windows Server 2003 computer. By default, the DNS server is installed with the root hints file and will resolve queries to the Internet. If you have an Internet connection, you can verify this by using the browser on the Windows Server 2003 server and connecting to a Web site. (Alternatively, you can verify this by performing the test labeled Perform a recursive query to other DNS servers, which you can find in the DNS console on the Monitoring tab of the properties of the DNS server.) Next, we cover the steps to add a forward lookup zone. We begin by creating a standard pri- mary forward lookup zone: 1. Navigate to the DNS console by selecting Start | Programs | Administrative Tools | DNS. (You can also invoke the DNS console through the Manage Your Server page that is displayed when logging on to the Windows Server 2003 computer.) 2. In the DNS console, right-click Forward Lookup Zones and click New Zone in the context menu. 3. The New Zone Wizard appears. Click Next. Ensure Primary Zone is selected as the zone type and click Next. 4. Type in tacteam.local as the zone name, and then click Next. (You can also type in a domain name of your own choosing. For ease of configuration later, it should match the domain name portion of the FQDN of the computer name.) 5. Select the option to Create a new file with this name. (A filename has already been created based on the domain name.) Click Next. 6. On the subsequent page, click Next again to accept the default setting not to allow dynamic updates, and then click Finish. We now need to verify the records in the new zone.To do this, perform these steps: 1. In the DNS console, expand Forward Lookup Zones, and then click the zone you just created. 2. Examine the contents of the zone on the right side of the window.You should see three records: an SOA, an NS, and a Host (A) record. If you are missing any of these records, the reason is that the domain you chose to create did not match the domain in the FQDN for the computer name, or the TCP/IP configuration was not pointing to the configured IP address for the primary DNS. We now can create a reverse lookup zone.The reverse lookup zone is used to resolve IP addresses to names. In addition, if we want to use NSLookup to query the DNS server, we need a reverse lookup zone containing a PTR RR that points to the authoritative DNS server in the zone. 664 Chapter 20 • Planning, Implementing, and Maintaining a Name Resolution Strategy 301_BD_W2k3_20.qxd 5/24/04 9:10 AM Page 664 The domain name will be based on the IP subnet and the suffix, in-addr.arpa. In these examples, we are using the subnet 192.168.100.0/24, so the reverse lookup domain will be 100.168.192.in- addr.arpa. 1. In the DNS console, right-click Reverse Lookup Zones and click New Zone in the context menu. 2. Follow the previous steps for creating a forward lookup zone. However, you will need to type the network ID of your network when prompted. (The New Zone Wizard will create the appropriate domain name based on your network ID, so do not change the order of the octets in your address. If you are following the setup for these examples, you should type 192.168.100 as the network ID in the Wizard.) After you have created the reverse lookup zone, examine the records that are created in it.You should see only two records: an SOA record and an NS record. Open a command prompt and invoke the nslookup command.You should see an error message, such as the following: *** Can't find server name for address 192.168.100.21: Non-existent domain Default Server: UnKnown Address: 192.168.100.21 To correct this situation, we need to add a PTR RR for the DNS server.To do so, follow these steps: 1. Right-click the reverse lookup zone you just created and select New Pointer (PTR) from the context menu. 2. In the New Resource Record dialog box, enter the host ID for the DNS server (the last number in the IP address), click Browse, and navigate to the A record for your DNS server in the forward lookup zone you created previously. 3. Finish creating the record.You should now have a PTR record in addition to the NS and SOA records.To verify the record is correct, invoke the nslookup command from a com- mand prompt.You should see the name of the DNS server (instead of “Unknown”) in the output. Now that you have installed a DNS server and have created forward and reverse lookup zones, you will be able to explore and examine DNS server settings.You should use the New Delegation Wizard to create a delegation of authority to a subdomain of the domain you just created.To create a delegation of authority from a parent domain, right-click the forward lookup zone for the parent domain and select New Delegation. Follow the steps presented by the Wizard. It’s obviously better if a DNS server that is authoritative for the subdomain actually exists, but if this is not the case, you can still create the records used to delegate authority. If you are able, you should install a second Windows Server 2003 server to further explore the features of DNS, such zone transfers, stub domains, and so on.This server can be installed on a virtual machine using VMware; you can run multiple virtual machines, all of which can communicate with one another on the network. Planning, Implementing, and Maintaining a Name Resolution Strategy • Chapter 20 665 301_BD_W2k3_20.qxd 5/24/04 9:10 AM Page 665 . lookup zone for the DNS server. To change the FQDN for the computer, follow these steps: 1. On the Windows Server 2003 desktop, right-click the My Computer icon and select Properties from the context. about the name servers that are authoritative for the top-level domain on the Internet. Windows 2000 and Windows Server 2003 servers will automatically install this file when you install the DNS. and then click OK. 5. If prompted, insert the Windows Server 2003 source CD to provide the installation files for the DNS service, or enter the name of a network path to the installation files. The