Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống
1
/ 53 trang
THÔNG TIN TÀI LIỆU
Thông tin cơ bản
Định dạng
Số trang
53
Dung lượng
1,81 MB
Nội dung
Dynamic Host Configuration Protocol 169 FIGURE 4.4 DHCP within a network RFC 1542– Compliant Router DHCP Clients DHCP Clients DHCP Server Internet 1 2 3 Another consideration is security. If you look back at Figure 4.4, the NIC labeled 3 would be your firewall. It should have ports 67 and 68 closed. If ports 67 and 68 are open, someone outside your network would be able to issue DHCP requests and receive leases. The leases provide valuable information on your net- work such as IP addresses and subnet masks, routers, DNS servers, and more. This is known as footprinting. Options You can add options to any DHCP lease. These provide the DHCP client with additional TCP/IP configuration settings. Common DHCP options and their option numbers are as follows: 003 Router (also referred to as ÛN default gateway) 006 DNS Servers ÛN 015 DNS Domain Name ÛN 032 Router Solicitation Address ÛN 044 WINS/NBNS Servers ÛN 046 WINS/NBT Node Type ÛN 060 PXE Client ÛN You can add options at the server level or at the scope level. Options added to the server level will apply to all clients unless the option is also assigned at the scope level. In other words, if you created a server option to assign the IP address of 192.168.1.2 for the 006 DNS Servers option, it would assign this option to all clients served by the server. If you then assigned the IP address 192.168.1.3 as the 006 DNS Servers option for a scope, the scope option would take precedence. All clients in this scope would receive the IP address of 192.168.1.3 for the DNS server. 93157c04.indd 169 8/10/08 8:07:54 PM 170 Chapter 4 N Monitoring and Maintaining Network Infrastructure Servers Windows Deployment Services Interaction Windows Deployment Services (WDS) was covered in depth in Chapter 2, “Planning Server Deployments.” One of the possible issues with WDS is when DHCP and WDS are installed on the same system. Both WDS and DHCP listen on port UDP 67. If WDS and DHCP are both installed on the same server, you have to modify the default settings. Since a client machine must have an IP address before it can connect to DHCP, disabling DHCP wouldn’t be an option. Instead, you configure WDS so that it does not listen on port 67 and configure DHCP option 060 on the DHCP server. Figure 4.5 shows the option configured as a server option. FIGURE 4.5 Configuring option 060 when DHCP and WDS are on the same server The DHCP option 060 PXE Client does not appear unless your server has the WDS role installed. The same as any other options (such as default gateway or DNS addresses), option 060 is included in the DHCP response to the client. Option 060 informs the client that the DHCP server is also the WDS server. If you have DHCP installed when you install a WDS server, the WDS Configuration Wizard will recognize the configuration and prompt you to configure this automatically. On the other hand, if you add DHCP to a WDS server, you’ll have to configure these options yourself. 93157c04.indd 170 8/10/08 8:07:54 PM Domain Name System 171 DHCP Management When planning for the management of DHCP, you need to consider two built-in groups. Both groups are in the Users container within Active Directory Users and Computers. They are as follows: DHCP Administrators Users in the DHCP Administrators group can fully administer DHCP with one exception. DHCP Administrators cannot authorize a DHCP server. DHCP administrators can create and modify scopes, add and modify options, add scope options, and add and modify reservations. If an administrator is assigned responsibility for a DHCP, she should be added to the DHCP Administrators group. DHCP Users The DHCP Users group can view but not modify settings and information within the DHCP console. As an example, you may have a midnight shift that monitors a group of servers. To give them permissions to view the DHCP console for troubleshooting purposes, you’d add them to the DHCP Users group. They could view the information but would not be able to make any changes (either on purpose or accidentally). Of course, users in the Domain Admins group (who can do anything in the entire domain) and the Enterprise Admins group (who can do anything in the entire forest) can also fully administer DHCP. However, with the principle of least privilege in mind, you wouldn’t want to add a user to one of these groups just to administer DHCP. Domain Name System Domain Name System (DNS) servers are primarily used to provide name resolution of host- names. Every host that has an IP address can also have a hostname. Instead of remembering the IP address, we remember the name, and then DNS resolves the name to an IP address. Within a Windows network using Active Directory Domain Services, DNS is also used to find specific servers through the use of SRV records. For example, a service may need to find a global catalog server or a PDC emulator. SRV records are used to find servers with these capabilities, and more. When learning DNS (and preparing for the 70-646 exam), it’s important to have a solid understanding of DNS zone types, zone files, and zone records. This chapter will cover each of these to help you reinforce the important pieces of DNS. DNS has been in use on the Internet since the early days of the ARPANET. However, DNS has not always been the primary name resolution within networks. In the NT 4.0 days, DNS was rarely used on internal networks simply because it was too difficult to register the names. On the Internet, each record added to a DNS must be added manually. This works fine since hosts on the Internet rarely change. For example, if you host a website, it would be hosted on a specific server. The address of that server would rarely, if ever, change. 93157c04.indd 171 8/10/08 8:07:54 PM 172 Chapter 4 N Monitoring and Maintaining Network Infrastructure Servers That’s not the same on internal networks. Typically DHCP is used to dynamically assign IP addresses, so it’s very possible for a client to get a new address if turned off one day and turned back on the next. Since clients can receive different IP addresses, a method is needed to update DNS with the new IP for the client. This process is called dynamic update. Names When discussing name resolution, it’s important to understand that we traditionally have two types of names: hostnames and NetBIOS names. With the introduction of GlobalNames Zone in Windows Server 2008, we also have the addition of a third name: global names. Hostnames Hostnames are used on the Internet and within Windows domains to iden- tify systems within the network. A hostname can have as many as 256 characters, though within a network, the name is generally kept to fewer than 16 characters. A name that is fewer than 16 characters is compatible with NetBIOS names. Hostnames are used within the hierarchy of DNS and are supported in both IPv4 and IPv6. Hostnames must be unique within the namespace but can be duplicated in different namespaces. For example, the hostname MCITP1 cannot be repeated within the domain of mcitpsuccess .hme. It would have a fully qualified name of MCITP1.mcitpsuccess.hme, and there can be only one such fully qualified domain name. If you expand the DNS hierarchy, you could have additional domains such as north .mcitpuccess.hme, south.mcitpsuccess.hme, and so on. Within each namespace you could have another server named MCITP1, giving it a fully qualified name of MCITP1.north .mcitpuccess.hme and MCITP1.south.mcitpsuccess.hme, respectively. Notice that the hostname can be repeated, but only within different namespaces. Hostnames and NetBIOS names are not case sensitive. In other words, MCITP1 is the same as mcitp1. Additionally, the fully qualified domain name is not case sensitive. MCITP1.MCITPSUCCESS.HME is the same as mcitp1 .mcitpsuccess.hme. It’s not uncommon to mix cases for readability. NetBIOS names NetBIOS names are used only within internal networks and are used to identify systems within the network. A NetBIOS name is composed of 16 characters, but only the first 15 characters are readable. The last character identifies the service running on the computer. A NetBIOS name is a single name; said another way, it exists within a flat namespace and does not use any type of hierarchy giving it a fully qualified domain name. A server named MCITP1 is simply MCITP1. It doesn’t matter in which domain the server exists. 93157c04.indd 172 8/10/08 8:07:54 PM Domain Name System 173 NetBIOS names are not supported in IPv6. Global names A global name is new to Windows Server 2008 and is a name that can be resolved using the new GlobalNames Zone feature. The addition of GlobalNames Zone and global names is intended to assist enterprises in eliminating the use of WINS in the network. Remember, a hostname can be 256 characters, but a NetBIOS is limited to only 15 read- able characters. If a longer hostname is used for a computer, the name will be truncated to only the first 15 characters for the NetBIOS name. For example, if a longer hostname were used for a computer such as microsoftcertifiedit- pro1 (instead of MCITP1), it would be truncated to microsoftcertif. This is not so bad in itself, but if you created another server and named it microsoftcertifieditpro2, it would also be truncated to microsoftcertif. With two computers holding the same NetBIOS name, you’d have problems. This is why administrators generally limit hostnames to 15 characters. If you examine how a simple command such as PING works using these two names, you’ll see how the name can be interpreted either as a hostname or as a NetBIOS name. Consider a computer named MCITP1 within the domain named north.mcitpsuccess.hme. If you enter PING MCITP1 at the command line, here’s what typically happens: 1. First, the domain name is appended to the hostname as MCITP1.north.mcitpsuccess.hme. PING tries to resolve this hostname using the methods available (DNS, hosts file, and host cache). 2. Next, the address is devolved. This is a fancy way of saying that the child domain name (north in this example) is removed from the fully qualified domain name. PING then tries to resolve the hostname MCITP1.mcitpsuccess.hme to an IP address. 3. If PING doesn’t have an IP address at this point, it uses the flat NetBIOS name MCITP1 and tries to resolve it using the methods available (WINS, LMHosts file, NetBIOS cache, and broadcast). In other words, a name of MCITP1 could be either a hostname or a NetBIOS name. The application assumes it’s one or the other and attempts to resolve it based on the assumption. If unsuccessful, most applications will attempt to resolve it using the remaining name resolu- tion methods. In a forest with multiple namespaces, it’s common to use Group Policy to populate the DNS suffix list on clients. For example, a forest with multiple namespaces such as mctipsuccess.hme, contoso.msft, and nwtraders .msft could all be within a client’s suffix list. The hostname would be added to these suffixes, and each fully qualified name would be attempted until the name was resolved. 93157c04.indd 173 8/10/08 8:07:55 PM 174 Chapter 4 N Monitoring and Maintaining Network Infrastructure Servers Name Resolution Methods It’s easy to get caught up in the idea that DNS does all name resolution within a network, but actually several types of name resolution are still in use in Microsoft networks today. They are aligned with the three types of names in use: hostnames, global names, and NetBIOS names. Table 4.3 shows the three name types with their primary methods of name resolution. How- ever, it’s important to realize that applications rarely stop with just one method. They instead keep trying name resolution methods until they get an answer or have used all methods. TABLE 4.3 Name Resolution Methods Type of Name Static Method Dynamic Method Cache Vista and Server 2008 only NetBIOS name LMHosts file WINS NetBIOS cache Hostname Hosts file DNS Host cache LLMNR GlobalNames* DNS GNZ All Broadcast * Globalames are new to Windows Server 2008 and won’t be found elsewhere. They are used for single- label names. NetBIOS names are considered legacy today, and whenever possible, it’s recommended to disable the NetBIOS service within a network today because of security issues. How- ever, many applications still expect a name to be a NetBIOS name and try to use the Net- BIOS methods of name resolution. The three primary types of name resolution for NetBIOS names are as follows: LMHosts. This is a straight text file that you can use to enter NetBIOS names and IP addresses. When used, it is located in the C:\Windows\System32\Drivers\etc folder by default. The LMHosts.sam file is a sample file and can be renamed to LMHosts with no extension. WINS. The WINS server can be used to dynamically resolve NetBIOS names. When used, clients dynamically register their names and IP addresses when they first boot. WINS then responds to queries that include the NetBIOS name with an IP address. In Windows Server 2008, WINS is a feature rather than a full server role. NetBIOS cache. Once a NetBIOS name is resolved, it is placed into cache. Before que- rying a WINS server again, the NetBIOS cache is checked. You can view the NetBIOS cache entries with the NetBIOS over TCP/IP Statistics (NBTStat) command: nbtstat -c. 93157c04.indd 174 8/10/08 8:07:55 PM Domain Name System 175 The following types of name resolution methods are used to resolve hostnames: Hosts. This is a straight text file that you can use to enter hostnames and IP addresses. When used, it is located in the C:\Windows\System32\Drivers\etc folder by default. Once a name mapping is placed in the hosts file, it is immediately placed in the host cache. DNS. The DNS server is used to dynamically resolve hostnames. Within a Windows Server 2000, 2003, or 2008 network, dynamic DNS is used, and clients automatically register their names with the DNS server when booted. Records for DNS servers on the Internet must be manually updated. DNS GNZ. DNS servers in Windows Server 2008 can host a GlobalNames zone that is used for single-label name (GlobalNames) resolution. This works similarly to how NetBIOS names are resolved by a WINS name server. Host cache. When a name is resolved from DNS, it is automatically placed in the host cache. Additionally, when names and IP addresses are entered into the hosts file, they are automatically added to cache. You can view the host cache using the IPConfigure/ DisplayDNS command. You can purge records from the host cache with the IPConfigure /FlushDNS command. Link-Local Multicast Name Resolution (LLMNR). LLMNR is new and is supported on Windows Vista and Windows Server 2008 clients. LLMNR is sometimes referred to as multicast DNS (mDNS) and is used to resolve names on a local network segment when a DNS server is not available. For example, if a failed router cuts a subnet off from all DNS servers on the network, LLMNR can still be used to resolve some hostnames. The last method can be used with either NetBIOS or host names. Broadcast. The last method reminds me of my wife (though I dearly love her). She may be downstairs, but when she wants something, she broadcasts, and everyone knows she wants something. Similarly, the broadcast method sends out a name request to all computers within earshot, and if any host has that name, it will answer with an IP address. It’s worth mentioning that routers do not pass broadcasts, so “within earshot” means only on the same subnet. Zones When discussing DNS, we use the term zones. A DNS zone is group of resource records associated with a specific namespace. It includes mappings of names to IP addresses, IP addresses to names, names to services, and more. If you know DNS from Windows Server 2003, you’ll be happy to know that there aren’t many significant differences between DNS zones in Server 2003 and Server 2008. The primary differences are related to read-only domain controllers and WINS. 93157c04.indd 175 8/10/08 8:07:55 PM 176 Chapter 4 N Monitoring and Maintaining Network Infrastructure Servers If a DNS server is responsible for maintaining records for a given namespace, it is con- sidered authoritative for that zone. For example, you could have a domain named mcitpsuccess.hme with a DNS Server named DNS1 that is authoritative for the namespace mcitpsuccess.hme. Imagine querying DNS1 asking for the IP of a server named MCITP7 and DNS1 replies negatively imply- ing there is no host named MCITP7. You’ve received a definitive answer since DNS1 is the authority for the namespace mcitpsuccess.hme. Zones are divided into zone types, zone files, and zone records. Any of the zone types can have one or two zone files, and zone files contain zone records. The primary tool used to manage DNS is the DNS Manager console. Figure 4.6 shows the DNS Manager console as viewed on server MCITP1. This server is hosting an Active Directory–integrated (ADI) primary zone for the mcitpsuccess.hme namespace. It shows several records in the display pane. FIGURE 4.6 Viewing the DNS Manager console Several of the folders start with an underscore (_). The underscore indi- cates the folders that are holding SRV records. SRV records are required within a domain. In other words, by looking at Figure 4.6, you can easily tell that this DNS server is hosting records for a domain. In the following sections, we’ll explore zone types, zone files, and zone records, but it’s good to have an understanding of the big picture. Zones (primary, secondary, Global- Names or stub) hold one or two zone files, and zone files hold zone resource records. 93157c04.indd 176 8/10/08 8:07:55 PM Domain Name System 177 Zone types The following are the zone types: Primary ÛN Secondary ÛN Stub ÛN Active Directory–integrated ÛN GlobalNames ÛN Zone files The following are the zone files: Forward lookup zone file (holds A records, and more). This primarily provides host- ÛN name to IP address resolution. Reverse lookup zone file (holds PTR records). This provides IP address to hostname ÛN resolution. Zone resource records The following are the zone resource records: A (host) IPv4 ÛN AAAA (host) IPv6 ÛN PTR ÛN SOA ÛN SRV ÛN NS ÛN MX ÛN CNAME (alias) ÛN Zone Types Windows Server 2008 DNS includes three zone types: Primary zone A primary zone is a zone hosted by a DNS server where the server is the primary source of information about the zone. In other words, the DNS server for a primary zone is authoritative for that zone. If the zone is not an Active Directory–integrated zone, the primary DNS server holds the only read/write copy of the database. In this situation, you would have only one primary DNS server. When using Active Directory–integrated zones (and this is recommended), you can have multiple primary DNS zones. However, each DNS server hosting a primary zone would have to be Active Directory–integrated. Secondary zone A secondary zone is created on a different DNS server to provide load balancing for the DNS server holding the primary zone. The secondary zone is a read-only copy of the zone data. It cannot be modified except through zone transfers. Periodically, the DNS server hosting the secondary zone is updated through a process known as a zone transfer. Either the secondary DNS server queries the primary DNS server 93157c04.indd 177 8/10/08 8:07:55 PM 178 Chapter 4 N Monitoring and Maintaining Network Infrastructure Servers to determine whether it is out-of-date or the primary DNS server can notify the secondary server that a change has occurred. Zone transfers transfer only the records that have been added, deleted, or modified, not the entire zone file. Stub zone A stub zone is a copy of key records in another zone. The purpose is to iden- tify the DNS server that is authoritative for the zone. A stub zone does not contain all of the records in the zone but instead only enough records needed to communicate with the authoritative DNS server. Records contained in the stub zone are the name server (NS) record, the start of authority (SOA) record, and possibly the host (A) records. Active Directory–integrated zones Both primary zones and stub zones can also be Active Directory–integrated zones. An ADI zone is one that is included in the Active Directory database. A significant benefit of using ADI zones is that DNS zone transfers are now part of Active Directory replication. Whenever a change occurs to objects (such as users, computers, and in this case DNS zone records) within Active Directory, the replication process recognizes the change and sends the changes to other domain controllers in the domain. Since the zone transfer is part of Active Directory replication, it is automatically encrypted. Additionally, since all DNS servers that are ADI zones are also primary zones, an ADI zone provides built-in fault tolerance. If a single DNS server fails, other DNS servers will auto- matically take on the load. The three options you have when selecting Active Directory replication are as follows: To all DNS servers in the forest. When this option is selected, DNS zone data will be replaced to all Windows Server 2003 and Server 2008 domain controllers in the forest that are also DNS servers. The DNS zone data is replicated as part of the ForestDNSZones partition. To all DNS servers in the domain. This option will replicate the DNS zone data information to all Windows Server 2003 and Windows Server 2008 domain con- trollers in the domain that are also DNS servers. The DNS zone data is replicated as part of the DomainDNSZone partition. To all domain controllers in the domain. If you have DNS servers running Win- dows Server 2000 and you want them to be ADI, you have to select this option. Windows 2000 doesn’t have the capability to use Active Directory application par- titions, so zone data must be replicated to all domain controllers in the forest. If you don’t have any Active Directory–integrated zones running on Windows Server 2000 servers, don’t use this option. Application partitions provide better performance. Microsoft recommends you use Active Directory–integrated zones whenever possible. It is easier to manage DNS with ADI zones, and if you want to secure DNS, an ADI zone pro- vides extra security capabilities such as the ability to enable secure dynamic updates. 93157c04.indd 178 8/10/08 8:07:55 PM [...]... lease 93 157 c04.indd 197 8/10/08 8:07 :59 PM 198 Chapter 4 Monitoring and Maintaining Network Infrastructure Servers n Requirements The requirements to use DHCP enforcement are as follows: NN NN NN The DHCP server must be running on Windows Server 2008 The DHCP server must have the Network Policy Server (NPS) role installed as a RADIUS server or as a RADIUS proxy to forward requests to an NPS server. .. name of the server Both DNS and WINS can have the majority of their records updated automatically without an administrator having to add each of the records WINS uses a registration process, and DNS uses dynamic update WINS Is a Feature A significant difference with WINS in Server 2008 and previous Windows Server products (such as Windows Server 2003) is that WINS is not considered a full server role... so records must be added manually A GNZ can be hosted only on a DNS server that is authoritative for the zone and running on a Windows Server 2008 domain controller It’s recommended the zone be Active Directory– integrated and replicated to all DNS servers in the forest, but remember that all DNS servers must be running Windows Server 2008 to support the GNZ Before a GlobalNames zone can be created,... dynamic updates on your network What are the prerequisites? (Choose all that apply.) A The DNS server must be on the DHCP server B The DNS server must be on a domain controller C The zone must be ADI D You must have a GlobalNames zone on the DNS server 15 You administer a domain using only Windows Server 2008 servers as domain controllers You are planning a strategy for network access You need to ensure... DNS server redirects the client to a writable DNS server In step 3, the client completes the dynamic update with the writable DNS server In step 4, the writable DNS server replicates this record to the local DNS server via Active Directory replication Although not shown in the figure, DHCP updates the PTR record using the same referral process The local DNS server redirects DHCP to a writable DNS server. .. In Windows Server 2003, the predictions were repeated by many administrators—WINS won’t be needed anymore Yet it remained in many environments (including mine) With Windows Server 2008, the predictions are more cautious You may be able to get rid of WINS It depends on the applications you use in your environment However, Windows Server 2008 DNS introduced the GlobalNames Zone feature, which does get... SOA record of the primary DNS server When a secondary DNS server queries the primary DNS server, a copy of the SOA record is sent If the serial number is different, the secondary DNS server requests a zone transfer Primary server This shows the fully qualified name of the DNS server that is authoritative for the zone Responsible person This indicates an email address that administrators can use to contact... WINS, you use Server Manger and add it as a feature It is not available as a server role Since NetBIOS names are used less and less and the need for WINS is significantly reduced from the NT 4.0 days, it’s less likely you’ll need to dedicate a server to be only a WINS server Although in the past a WINS server could have a primary role as a WINS server and be highly utilized as a WINS server in a large... via the Internet through the VPN server The NAP health policy server holds the policy configured by the administrator The health registration authority (HRA) verifies the health of the clients and issues health certificates to healthy clients Fi g u r e 4 1 6 Network with NAP deployed Restricted Network Remediation Servers VPN Server NAP Health Policy Server DHCP Server Internet Health Registry... Services and DNS on your Windows Server 2008 system 93 157 c04.indd 183 8/10/08 8:07 :56 PM 184 Chapter 4 Monitoring and Maintaining Network Infrastructure Servers n E x e r c is e 4 4 Creating a Forward Lookup Zone 1 Launch the DNS Manager console by clicking Start Administrative Tools DNS 2 Click the plus sign next to the server to open the DNS tree 3 Right-click the server name, and select New . Chapter 1, “Introducing Windows Server 2008. ” These exercises install Active Directory Domain Services and DNS on your Windows Server 2008 system. 93 157 c04.indd 183 8/10/08 8:07 :56 PM 184 Chapter. DNS servers in the domain. This option will replicate the DNS zone data information to all Windows Server 2003 and Windows Server 2008 domain con- trollers in the domain that are also DNS servers .mcitpuccess.hme, south.mcitpsuccess.hme, and so on. Within each namespace you could have another server named MCITP1 , giving it a fully qualified name of MCITP1 .north .mcitpuccess.hme and MCITP1 .south.mcitpsuccess.hme,