DNS Step-by-Step Guide

Microsoft Corporation Published: October 2005 Authors: Andrea Weiss and Jim Groves ditors: Justin !all and Carol"n ller

Abstract
#his document can help "ou implement $omain %ame &"stem '$%&( on Microsoft) Windo*s &erver+ 200, on a small net*or-. $%& is the main *a" that Windo*s &erver 200, translates computer names to net*or- addresses. An Active $irector")/ based domain controller also can act as a $%& server that re0isters the names and addresses of computers in the domain and then provides the net*or- address of a member computer *hen 1ueried *ith the computer2s name. #his 0uide e3plains ho* to set up $%& on a simple net*or- consistin0 of a sin0le domain.

4nformation in this document5 includin0 678 and other 4nternet Web site references5 is sub9ect to chan0e *ithout notice. 6nless other*ise noted5 the e3ample companies5 or0ani:ations5 products5 domain names5 e/mail addresses5 lo0os5 people5 places5 and events depicted herein are fictitious5 and no association *ith an" real compan"5 or0ani:ation5 product5 domain name5 e/mail address5 lo0o5 person5 place5 or event is intended or should be inferred. Compl"in0 *ith all applicable cop"ri0ht la*s is the responsibilit" of the user. Without limitin0 the ri0hts under cop"ri0ht5 no part of this document ma" be reproduced5 stored in or introduced into a retrieval s"stem5 or transmitted in an" form or b" an" means 'electronic5 mechanical5 photocop"in05 recordin05 or other*ise(5 or for an" purpose5 *ithout the e3press *ritten permission of Microsoft Corporation.

Microsoft ma" have patents5 patent applications5 trademar-s5 cop"ri0hts5 or other intellectual propert" ri0hts coverin0 sub9ect matter in this document. 3cept as e3pressl" provided in an" *ritten license a0reement from Microsoft5 the furnishin0 of this document does not 0ive "ou an" license to these patents5 trademar-s5 cop"ri0hts5 or other intellectual propert".

; 2005 Microsoft Corporation. All ri0hts reserved.

Microsoft5 M&/$O&5 Windo*s5 Windo*s %#5 Windo*s &erver5 are either re0istered trademar-s or trademar-s of Microsoft Corporation in the 6nited &tates and<or other countries.

All other trademar-s are propert" of their respective o*ners.

Contents
$%& &tep/b"/&tep Guide................................................................................................... = Contents............................................................................................................................. , $omain %ame &"stem &tep/b"/&tep Guide ..........................................................5

Plannin0 $%& ........................................................................................................ > 6nderstandin0 the $%& %amespace..............................................................................> $esi0nin0 a $%& %amespace........................................................................................ ? 4nstallin0 and Confi0urin0 Active $irector" and $%& Confi0urin0 $%& Client &ettin0s '$%& &tep/b"/&tep( ...........................................== .........................................=@

Advanced $%& Confi0uration '$%& &tep/b"/&tep( .............................................2= Addin0 7esource 7ecords............................................................................................2= Automaticall" 7emovin0 Outdated 7esource 7ecords.................................................25 Confi0urin0 a Aor*arder for 4nternet Access.................................................................2? #roubleshootin0 $%& '$%& &tep/b"/&tep( .........................................................2?

Domain Name System Step-by-Step Guide

$omain %ame &"stem '$%&( is a s"stem for namin0 computers and net*or- services that or0ani:es them into a hierarch" of domains. $%& namin0 is used on #CP<4P net*or-s5 such as the 4nternet5 to locate computers and services b" usin0 user/friendl" names. When a user enters the $%& name of a computer in an application5 $%& can loo- up the name and provide other information associated *ith the computer5 such as its 4P address or services that it provides for the net*or-. #his process is called name resolution. %ame s"stems such as $%& ma-e it easier to use net*or- resources b" providin0 users a *a" to refer to a computer or service b" a name that is eas" to remember. $%& loo-s up that name and provides the numeric address that operatin0 s"stems and applications re1uire to identif" the computer on a net*or-. Aor e3ample5 users enter ***.microsoft.com instead of the server2s numeric 4P address to identif" the Microsoft Web server on the 4nternet. $%& re1uires little on0oin0 maintenance for small and medium/si:ed businesses5 *hich t"picall" have one to four $%& servers 'lar0er medium/si:ed or0ani:ations usuall" have bet*een four and =B $%& servers(. $%& problems5 ho*ever5 can affect availabilit" for "our entire net*or-. Most $%& problems arise because of $%& settin0s that are incorrectl" confi0ured. C" follo*in0 the procedures in this 0uide5 "ou can avoid such problems *hen "ou deplo" $%& in a simple Microsoft) Windo*s &erver+ 200,Dbased net*or-. #his 0uide e3plains ho* to install and confi0ure a basic $%& implementation in a net*orthat consists of a sin0le ne* Active $irector") domain. 4t then addresses some advanced topics that medium/si:ed or0ani:ations mi0ht need to consider. Ainall"5 it includes some basic $%& troubleshootin0 steps "ou can ta-e if "ou suspect "our environment is havin0 problems *ith $%&. In This Guide Plannin0 $%& 4nstallin0 and Confi0urin0 Active $irector" and $%& Confi0urin0 $%& Client &ettin0s '$%& &tep/b"/&tep( Advanced $%& Confi0uration '$%& &tep/b"/&tep( #roubleshootin0 $%& '$%& &tep/b"/&tep(

Planning DNS
$%& is the primar" method for name resolution in the Microsoft) Windo*s &erver+ 200,5 &tandard ditionE Windo*s &erver 200,5 nterprise ditionE and Windo*s &erver 200,5 $atacenter dition operatin0 s"stems 'collectivel" referred to as FWindo*s &erver 200,F in this 0uide(. $%& is a re1uirement for deplo"in0 the Active $irector") director" service. 4nte0ratin0 $%& *ith Active $irector" enables $%& servers to ta-e advanta0e of the securit"5 performance5 and fault tolerance capabilities of Active $irector". #"picall"5 "ou or0ani:e "our $%& namespace 'the association of domains5 subdomains5 and hosts( in a *a" that supports ho* "ou plan to use Active $irector" to or0ani:e the computers on "our net*or-. Aor more information about usin0 Active $irector" to or0ani:e "our net*or-5 see F$esi0nin0 the Active $irector" 8o0ical &tructureF in $esi0nin0 and $eplo"in0 $irector" and &ecurit" &ervices on Microsoft Windo*s &erver 200, #echCenter 'http:<<0o.microsoft.com<f*lin-<G8in-4dH50,>=( or on Microsoft $o*nload Center 'http:<<0o.microsoft.com<f*lin-<G8in-4dH50,>0(.

Understanding the DNS Namespace

$%& is a hierarchical namin0 s"stem. A $%& name includes the names of all of the $%& namespaces that it belon0s to. #he follo*in0 illustration sho*s ho* the $%& namespace is or0ani:ed.

#he $%& namespace be0ins *ith a lo0ical root domain that is not named5 partl" because it is implicit in all $%& names. #he root domain in turn contains a limited number of subdomains that help or0ani:e the $%& namespace. #hese subdomains are called top/ level domains '#8$s( because the" are the hi0hest/level or most inclusive part of the $%& namespace that people use. #he names of these top/level domains are either functional or 0eo0raphical. Aunctional top/level domains su00est the purpose of the or0ani:ation that has re0istered a subdomain in the top/level domain. &ome of the most common functional top/level domain names are: #he .com top/level domain5 *hich is usuall" used to re0ister $%& domain names that belon0 to commercial entities5 such as corporations. #he .edu top/level domain5 *hich is most often used b" educational institutions5 such as colle0es and public and private schools.

" #he .0ov top/level domain5 *hich is used b" 0overnment entities5 includin0 federal5 state5 and local 0overnments. #he .net top/level domain5 *hich is often used b" or0ani:ations that provide 4nternet services5 such as 4nternet service providers '4&Ps(. #he .or0 top/level domain5 *hich is t"picall" used for private5 nonprofit or0ani:ations. Geo0raphical top/level domains indicate the countr" or re0ion *here the or0ani:ation that re0istered the domain is located. Aor e3ample5 an or0ani:ation that *ants to emphasi:e that it is located in Canada *ould re0ister its 4nternet domain name in the .ca top/level domain5 *hile an or0ani:ation that *ants to sho* that it is based in Cra:il *ould re0ister its 4nternet domain name in the .br top/level domain. Most or0ani:ations that *ant to have an 4nternet presence5 such as for a Web site or sendin0 and receivin0 e/mail5 re0ister an 4nternet domain name that is a subdomain of a top/level domain. 6suall" the" choose a subdomain name based on their or0ani:ation2s name5 such as contoso.com or microsoft.com. 7e0isterin0 an 4nternet domain name reserves the name for the e3clusive use of the or0ani:ation and confi0ures $%& servers on the 4nternet to provide the appropriate 4nternet Protocol '4P( address *hen the" are 1ueried for that name. 4n other *ords5 it creates the e1uivalent of a telephone director" entr" for the 4nternet domain name. Cut instead of providin0 a telephone number for the name5 it provides the 4P address that a computer re1uires to access the computers in the re0istered domain. #he $%& namespace is not limited to 9ust the publicl" re0istered 4nternet domain names. Or0ani:ations that have net*or-s *ith their o*n $%& servers can create domains for their internal use. As the ne3t section e3plains5 these internal $%& namespaces can be5 but are not re1uired to be5 subdomains of a public 4nternet domain name.

Designing a DNS Namespace

Iou can desi0n an e3ternal namespace that is visible to 4nternet users and computers5 and "ou can also desi0n an internal namespace that is accessible onl" to users and computers that are *ithin the internal net*or-. Or0ani:ations that re1uire an 4nternet presence as *ell as an internal namespace must deplo" both an internal and an e3ternal $%& namespace and mana0e each namespace separatel". 4n this case5 it is recommended that "ou ma-e "our internal domain a subdomain of "our e3ternal domain. 6sin0 an internal domain that is a subdomain of an e3ternal domain:

# 7e1uires "ou to re0ister onl" one name *ith an 4nternet name authorit" even if "ou later decide to ma-e part of "our internal namespace publicl" accessible. nsures that all of "our internal domain names are 0loball" uni1ue.

&implifies administration b" enablin0 "ou to administer internal and e3ternal domains separatel". Allo*s "ou to use a fire*all bet*een the internal and e3ternal domains to secure "our $%& deplo"ment. Aor e3ample5 an or0ani:ation that has an e3ternal domain name of contoso.com mi0ht use the internal domain name corp.contoso.com. Iou can use "our internal domain as a parent for additional child domains that "ou create to mana0e divisions *ithin "our compan"5 in cases *here "ou are deplo"in0 an Active $irector" domain for each division. Child domain names are immediatel" subordinate to the domain name of the parent. Aor e3ample5 a child domain for a manufacturin0 division that is added to the us.corp.contoso.com namespace mi0ht have the domain name manu.us.corp.contoso.com.

Creating an Internet DNS Domain Name

An 4nternet $%& domain name is composed of a top/level domain name 'such as .com5 .or05 or .edu( and a uni1ue subdomain name chosen b" the domain o*ner. Aor e3ample5 a compan" named Contoso Corporation *ould probabl" choose contoso.com as its 4nternet domain name. When "ou have selected "our 4nternet $%& domain5 conduct a preliminar" search of the 4nternet to confirm that the $%& domain name that "ou selected is not alread" re0istered to another or0ani:ation. 4f "ou do not find that "our domain name is alread" re0istered to another or0ani:ation5 contact "our 4nternet service provider '4&P( to confirm that the domain name is available and to help "ou re0ister "our domain name. Iour 4&P *ill probabl" set up a $%& server on its o*n net*or- to host the $%& :one for "our domain name5 or it mi0ht help "ou set up a $%& server on "our net*or- for this purpose.

Creating Internal DNS Domain Names

Aor "our internal domains5 create names relative to "our re0istered 4nternet $%& domain name. Aor e3ample5 if "ou have re0istered the 4nternet $%& domain name contoso.com for "our or0ani:ation5 use a $%& domain name such as corp.contoso.com for the internal full" 1ualified $%& domain name and use CO7P as the %etC4O& name.

$% 4f "ou are deplo"in0 $%& in a private net*or- and do not plan to create an e3ternal namespace5 "ou should nevertheless consider re0isterin0 the $%& domain name that "ou create for "our internal domain. 4f "ou do not re0ister the name and later attempt to use it on the 4nternet5 or connect to a net*or- that is connected to the 4nternet5 "ou mi0ht find that the name is unavailable.

Creating DNS Computer Names

4t is important to develop a practical $%& computer/namin0 convention for computers on "our net*or-. #his enables users to remember the names of computers on public and private net*or-s easil"5 and therefore facilitates access to net*or- resources. 6se the follo*in0 0uidelines *hen creatin0 names for the $%& computers in "our Windo*s &erver 200, $%& infrastructure: &elect computer names that are eas" for users to remember.

4dentif" the o*ner of a computer in the computer name. Aor e3ample5 9ohn/doe indicates that John $oe uses the computer5 and pubs/server indicates that the computer is a server that belon0s to the Publications department. Alternativel"5 select names that describe the purpose of the computer. Aor e3ample5 a file server named past/accounts/= indicates that the file server stores information related to past accounts. $o not use character case to conve" the o*ner or purpose of a computer. $%& is not case/sensitive. Match the Active $irector" domain name to the primar" $%& suffi3 of the computer name. #he primar" $%& suffi3 is the part of the $%& name that appears after the host name. Aor more information5 see F$esi0nin0 the Active $irector" 8o0ical &tructureF in $esi0nin0 and $eplo"in0 $irector" and &ecurit" &ervices on Microsoft Windo*s &erver 200, #echCenter 'http:<<0o.microsoft.com<f*lin-<G 8in-4dH50,>=( or on Microsoft $o*nload Center 'http:<<0o.microsoft.com<f*lin-<G 8in-4dH50,>0(. 6se uni1ue names for all computers in "our or0ani:ation. $o not assi0n the same computer name to different computers in different $%& domains. 6se A&C44 characters to ensure interoperabilit" *ith computers runnin0 versions of Windo*s earlier than Windo*s 2000. Aor $%& computer names5 use onl" the characters ADJ5 aD:5 0DK5 and the h"phen '/(.

$$

Installing and Con&iguring Acti'e Directory and DNS

When "ou create a ne* domain5 the Active $irector" 4nstallation Wi:ard installs $%& on the server b" default. #his ensures that $%& and Active $irector" are confi0ured properl" for inte0ration *ith each other. Important Cefore "ou install Active $irector" and $%& on the first domain controller server in a ne* domain5 ensure that the 4P address of the server is static5 meanin0 it is not assi0ned b" $"namic !ost Confi0uration Protocol '$!CP(. $%& servers must have static addresses to ensure that the" can be located reliabl". To install DNS (ith Acti'e Directory in a ne( domain =. Clic- Start5 point to Administrati'e tools5 and then clic- Con&igure )our Ser'er *i+ard. 2. On the ,anage )our Ser'er pa0e5 clic- Add or remo'e a role. ,. On the Con&igure )our Ser'er *i+ard pa0e5 clic- Ne-t. B. Clic- Domain Controller .Acti'e Directory/ and then clic- Ne-t. 5. On the *elcome to the Acti'e Directory Installation *i+ard pa0e5 clic- Ne-t. >. On the 0perating System Compatibility pa0e5 read the information and then clic- Ne-t. 4f this is the first time "ou have installed Active $irector" on a server runnin0 Windo*s &erver 200,5 clic- Compatibility 1elp for more information. @. On the Domain Controller Type pa0e5 clic- Domain controller &or a ne( domain and then clic- Ne-t.

$2

?. On the Create Ne( Domain pa0e5 clic- Domain in a ne( &orest and then clicNe-t.

$6

K. On the Ne( Domain Name pa0e5 t"pe the full $%& name 'such as corp.contoso.com( for the ne* domain5 and then clic- Ne-t. =0. On the Net3I0S Domain Name pa0e5 verif" the %etC4O& name 'for e3ample5 CO7P(5 and then clic- Ne-t. ==. On the Database and 4og 5olders pa0e5 t"pe the location in *hich "ou *ant to install the database and lo0 folders5 or clic- 3ro(se to choose a location5 and then clic- Ne-t.

$8

=2. On the Shared System 7olume pa0e5 t"pe the location in *hich "ou *ant to install the &I&LO8 folder5 or clic- 3ro(se to choose a location5 and then clic- Ne-t.

$5

=,. On the DNS 9egistration Diagnostics pa0e5 clic- Install and con&igure the DNS ser'er on this computer: and set this computer to use this DNS ser'er as its pre&erred DNS ser'er5 and then clic- Ne-t.

=B. On the Permissions pa0e5 select one of the follo*in0: Permissions compatible (ith pre-*indo(s 2%%% Ser'er operating systems Permissions compatible only (ith *indo(s 2%%% or *indo(s Ser'er 2%%6 operating systems

$!

=5. On the Directory Ser'ices 9estore ,ode Administrator Pass(ord pa0e5 t"pe a pass*ord that *ill be used to lo0 on to the server in $irector" &ervices 7estore Mode5 confirm the pass*ord5 and then clic- Ne-t. =>. 7evie* the Summary pa0e5 and then clic- Ne-t to be0in the installation. =@. After the Active $irector" installation completes5 clic- 0; to restart the computer.

Con&iguring DNS Client Settings .DNS Step-by-Step/

Confi0ure the follo*in0 settin0s for each $%& client: #CP<4P settin0s for $%& !ost name and domain membership

$" To con&igure DNS client settings =. At the computer that "ou are confi0urin0 to use $%&5 clic- Start5 point to Control Panel5 and then clic- Net(or< Connections. 2. 7i0ht/clic- the net*or- connection that "ou *ant to confi0ure5 and then clicProperties. ,. On the General tab5 clic- Internet Protocol .TCP=IP/5 and then clicProperties.

B. 4f "ou *ant to obtain $%& server addresses from a $!CP server5 clic0btain DNS ser'er address automatically.

$#

5. 4f "ou *ant to confi0ure $%& server addresses manuall"5 clic- Use the &ollo(ing DNS ser'er addresses5 and in Pre&erred DNS ser'er and Alternate DNS ser'er5 t"pe the 4nternet Protocol '4P( addresses of the preferred $%& server and alternate $%& server. >. Clic- 0; to e3it. Note 4t is not necessar" to restart the computer at this time if "ou intend to chan0e the computer2s name or domain membership in the follo*in0 steps. @. 4n Control Panel5 double/clic- System. ?. On the Computer Name tab5 clic- Change. K. 4n Computer name5 t"pe the name of the computer 'the host name(.

2% =0. Clic- Domain5 and then t"pe the name of the domain "ou *ant the computer to 9oin.

==. 4f Computer Name Changes appears5 in User Name5 t"pe the domain name and user name of an account that is allo*ed to 9oin computers to the domain5 and in Pass(ord5 t"pe the pass*ord of the account. &eparate the domain name and user name *ith a bac-slash 'for e3ample5 domainMuserNname(.

2$

=2. Clic- 0; to close all dialo0 bo3es.

Ad'anced DNS Con&iguration .DNS Stepby-Step/

4n most cases5 Active $irector"Dinte0rated $%& on a small5 simple Windo*s/based net*or- re1uires little confi0uration be"ond the initial setup. Occasionall"5 ho*ever5 "ou mi0ht need to perform some additional confi0uration tas-s5 such as addin0 resource records or confi0urin0 a $%& for*arder5 to handle unusual situations.

Adding 9esource 9ecords

7esource records store information about specific net*or- computers5 such as their names5 4nternet Protocol '4P( addresses5 and services that the computers provide. 4n most cases5 Windo*s/based computers update their o*n resource records on $%& servers 'usin0 $%& d"namic update protocol5 also -no*n as d"namic $%&(5 eliminatin0 the need for an administrator to mana0e them. !o*ever5 if "our net*or- contains non/ Windo*s/based computers or computers that "ou *ant to desi0nate for handlin0 e/mail5 "ou mi0ht need to add the follo*in0 resource records to the :one on "our $%& server for these computers:

22 1ost address .A/. Maps a computer2s $%& domain name to the computer2s 4P address. ,ail >-changer .,?/. Maps a $%& domain name to the name of a computer that e3chan0es or for*ards e/mail. Important When the Active $irector" 4nstallation Wi:ard installs and confi0ures $%& on the ne* domain controller5 it creates resource records that are necessar" for the proper operation of the $%& server on the domain controller. $o not remove or chan0e these resource records. Chan0e or remove onl" those resource records that "ou have added "ourself.

1ost A 9esource 9ecords

#he host A resource records is used to associate the $%& domain name of a computer 'or FhostF( to its 4P address. #he host A resource record is not re1uired for all computers5 but it is re1uired for an" computer that shares resources on a net*or- and needs to be identified b" its $%& domain name. Windo*s clients and servers use the $"namic !ost Confi0uration Protocol '$!CP( Client service to d"namicall" re0ister and update their o*n A resource records in $%& *hen an 4P confi0uration chan0e occurs. $!CPDenabled client computers runnin0 earlier versions of Microsoft operatin0 s"stems can have their A resource records re0istered and updated b" pro3" if the" obtain their 4P address lease from a 1ualified $!CP server. 'Onl" the Windo*s 2000 and Windo*s &erver 200, $!CP &erver service supports this feature.( Iou can manuall" create an A resource record for a static #CP<4P client computer or a computer runnin0 non/Windo*s operatin0 s"stems b" usin0 the $%& snap/in. To add a host A resource record to a +one =. At the $%& server5 clic- Start5 point to Administrati'e Tools5 and then clicDNS. 2. 4n the console tree5 ri0ht/clic- the applicable :one5 and then clic- Ne( 1ost .A/. ,. 4n Name .uses parent domain i& blan</5 t"pe the name of the computer 'host( that "ou are creatin0 an A resource record for. B. 4n IP address5 t"pe the address of the computer that "ou are creatin0 an A resource record for.

26 Important Ma-e sure that "ou correctl" t"pe the address and that it is assi0ned as a static address 'not assi0ned b" $!CP(. 4f the address is incorrect or chan0es5 client computers *ill not be able to locate the host b" usin0 $%&.

,? 9esource 9ecords
#he MO resource record is used b" e/mail applications to locate a mail server b" usin0 the $%& domain name that appears in the destination e/mail address for the recipient. Aor e3ample5 a $%& 1uer" for the name sales.corp.contoso.com can be used to find an MO resource record5 *hich enables an e/mail application to for*ard or e3chan0e mail to a user *ith the e/mail address userPsales.corp.contoso.com. #he MO resource record sho*s the full" 1ualified $%& domain name for the computer that processes e/mail for a domain. 4f multiple MO resource records e3ist5 the $%& Client service attempts to contact the e/mail servers in the order of preference usin0 the ,ail ser'er priority field. #he lo*est value has the hi0hest priorit"5 and the hi0hest value has the lo*est priorit".

28 To add a mail e-changer ,? resource record to a +one =. At the $%& server5 clic- Start5 point to Administrati'e Tools5 and then clicDNS. 2. 4n the console tree5 ri0ht/clic- the applicable :one5 and then clic- Ne( ,ail >-changer .,?/. ,. 4n 1ost or child domain5 t"pe the name of the host or domain of the mail e3chan0er for this domain onl" if it is different from the parent domainE other*ise5 leave this field blan-.

B. 4n 5ully @uali&ied domain name .5ADN/ o& mail ser'er5 t"pe the $%& domain name of an e3istin0 mail server that can function as a mail e3chan0er for the domain. 5. 4n ,ail ser'er priority5 t"pe a number bet*een 0 and >55,5 that indicates the priorit" of the mail server amon0 other mail e3chan0ers for this domain. #he

25 mailer attempts to deliver mail to servers *ith lo*er priorit" numbers before attemptin0 to deliver to servers *ith hi0her priorit" numbers.

Automatically 9emo'ing 0utdated 9esource 9ecords

While the abilit" of $!CP to re0ister A and P#7 resource records automaticall" *henever a ne* device is added to the net*or- ma-es life easier for the net*or- administrator5 it does have one dra*bac-: 6nless action is ta-en to remove them5 those resource records *ill remain in the $%& :one database indefinitel". While this is not a problem *ith relativel" static net*or-s5 it ne0ativel" affects net*or-s that chan0e fre1uentl" '*ith the addition and removal of portable computers5 for e3ample(. #his accumulation of records can result in poor performance of both the $%& server and $!CP services as both have to *or- around these stale 'obsolete( host<address mappin0s. ventuall"5 the :one could even run out of addresses for computers that are subse1uentl" added to the net*or-. Aortunatel"5 Windo*s $!CP services and the Windo*s &erver 200, $%& server are desi0ned to cooperate to help prevent this from happenin0. Iou can confi0ure the $%& server to trac- the a0e of each d"namicall" assi0ned record and to periodicall" remove records older than a specified number of da"s5 a process -no*n as scaven0in0. #he a0e of a record is based on *hen it *as created or last updated. C" default5 computers runnin0 Windo*s 20005 Windo*s OP5 and Windo*s &erver 200, send a re1uest to the $%& server to update their records ever" 2B hours. '#o prevent unnecessar" replication5 the Windo*s &erver 200, $%& server can be confi0ured to i0nore these re1uests for a period of time.( #he $%& server is thereb" notified that the computers in 1uestion are still on the net*or- and their records are not sub9ect to scaven0in0. Cecause scaven0in0 can cause problems on a net*or- *hen it is misconfi0ured5 it is disabled b" default in Windo*s &erver 200,. nablin0 scaven0in0 *ith default settin0s is 1uite safe and is recommended if computers are fre1uentl" added to and removed from "our net*or-. To enable sca'enging on a DNS ser'er =. At the $%& server "ou *ant to enable scaven0in0 on5 clic- Start5 point to Administrati'e Tools5 and then clic- DNS. 2. 4n the console tree5 clic- the applicable $%& server. ,. On the Action menu5 clic- Properties.

2 B. Clic- the Ad'anced tab5 select >nable automatic sca'enging o& stale records5 and then clic- 0;.

5. On the Action menu5 clic- Set Aging=Sca'enging &or All Bones5 clicSca'enge stale resource records5 and then clic- 0;.

2!

>. 4n the Ser'er Sca'enging=Aging Con&irmation dialo0 bo35 select Apply these settings to the e-isting Acti'e Directory-enabled +ones 5 and then clic0;.

2"

Con&iguring a 5or(arder &or Internet Access

A for*arder is a $%& server on a net*or- that for*ards $%& 1ueries for e3ternal $%& names to $%& servers outside of that net*or-. C" usin0 a for*arder5 "ou can mana0e ho* names outside of "our net*or- are resolved5 such as names on the 4nternet. When "ou desi0nate a $%& server as a for*arder5 "ou ma-e that for*arder responsible for handlin0 e3ternal traffic. 4f "ou are not usin0 a fire*all to isolate "our net*or- from the 4nternet5 "ou should use a for*arder to provide 4nternet access to clients on "our net*or-. Important Connectin0 "our net*or- directl" to the 4nternet *ithout usin0 a fire*all to control e3ternal access to "our net*or- computers can result in serious securit" issues. Microsoft stron0l" recommends that "ou use a fire*all instead of a for*arder to provide 4nternet connectivit" for "our net*or- clients. To con&igure a DNS ser'er to use a &or(arder =. At the $%& server that "ou *ant to confi0ure to use for*arders5 clic- Start5 point to Administrati'e Tools5 and then clic- DNS. 2. 4n the console tree5 clic- the applicable $%& server. ,. On the Action menu5 clic- Properties. B. On the 5or(arders tab5 under DNS domain5 clic- All other domain names. 5. 6nder Selected domainCs &or(arder IP address list 5 t"pe the 4nternet Protocol '4P( address of a for*arder supplied b" "our 4nternet service provider '4&P(5 and then clic- Add. >. Clic- 0; to e3it.

Troubleshooting DNS .DNS Step-by-Step/

Most often5 $%& confi0uration problems are e3posed *hen one or more $%& client computers are unable to resolve host names. #he first step in troubleshootin0 $%& problems is to determine the scope of the problem b" usin0 the ping command on multiple clients to resolve the names of hosts on the intranet and the 4nternet and to test overall net*or- connectivit". 6se the follo*in0

2# commands on several $%& client computers and *ith several different tar0et computers5 and note the results: ping internal_host_ip_address ping internal_host_name ping Internet_host_name

*here internal_host_ip_address is the 4nternet Protocol '4P( address of a computer that e3ists in the client2s domain5 internal_host_name is the $%& domain name of the computer5 and Internet_host_name is the name of a computer that e3ists on the 4nternet. %ote that it is not important *hether an 4nternet computer responds to the ping re1uest5 onl" *hether the specified name can be resolved to an 4P address. #he results of these tests *ill su00est the nature of the problem5 as listed in the follo*in0 table.
Ping Command 9esult Possible Cause

Multiple clients cannot resolve an" intranet or 4nternet names

#his mi0ht indicate that the clients cannot access the assi0ned $%& server. #his mi0ht be the result of 0eneral net*or- problems5 particularl" if ping usin0 4P addresses fails. Other*ise5 if the clients are confi0ured to obtain $%& server addresses automaticall"5 the $!CP servers on the net*or- mi0ht not be confi0ured properl". #his su00ests that host 'A( resource records or other records 'such as &7L records( do not e3ist in the $%& :one database. Chec- to ensure that the appropriate resource records e3ist and that the $%& server is properl" confi0ured to receive automatic updates5 as appropriate. 4f the tar0et host names are located in a particular child :one5 ensure that dele0ation of that :one is properl" confi0ured.

Multiple clients cannot resolve intranet names5 but can resolve 4nternet names

6%
Ping Command 9esult Possible Cause

Multiple clients cannot resolve 4nternet names5 but can resolve intranet names

#he desi0nated for*arder of the $%& domain is unavailable5 or the $%& server is not properl" confi0ured to use a for*arder. Aor more information about confi0urin0 a $%& server to use a for*arder5 see Advanced $%& Confi0uration '$%& &tep/ b"/&tep( in this 0uide. 4f the ping command usin0 4P addresses fails5 this indicates that the client computer cannot connect to the net*or- at all. nsure that the client computer is ph"sicall" connected to the net*or- and that the net*or- adapter for the computer is functionin0 properl". 4f the ping command usin0 4P addresses succeeds5 but ping cannot resolve $%& domain names5 then the #CP<4P settin0s of the client are probabl" incorrect. #o correct the settin0s5 see Confi0urin0 $%& Client &ettin0s '$%& &tep/b"/&tep( in this 0uide. 4f the client computer *as previousl" confi0ured to connect directl" to the 4nternet5 its #CP<4P properties mi0ht be confi0ured to use an e3ternal $%& server5 such as a $%& server from an 4nternet &ervice Provider '4&P(. 4n most cases5 the client should not use a $%& server from an 4&P as either the preferred or alternate $%& server5 because the $%& server at the 4&P is unable to resolve internal names. 6sin0 a $%& server from an 4&P in the #CP<4P confi0uration of a client can also cause problems *ith conflictin0 internal and e3ternal namespaces. #o correct the settin0s5 see Confi0urin0 $%& Client &ettin0s '$%& &tep/b"/&tep( in this 0uide.

One client onl" cannot resolve an" intranet or 4nternet names

One client onl" cannot resolve intranet names5 onl" 4nternet names

6$ 4f "ou have ruled out all of these potential problems for a particular client and still cannot resolve $%& names5 use the follo*in0 procedure to verif" the $%& client settin0s. To 'eri&y DNS client con&iguration in TCP=IP settings =. 8o0 on to the $%& client computer *ith the Administrator account. 2. Clic- Start5 clic- Control Panel5 and then double/clic- Net(or< Connections. ,. 4n Net(or< and Dial-up Connections5 ri0ht/clic- the local area connection that "ou *ant5 and then clic- Properties. B. 4n 4ocal Area Net(or< Connection Properties5 clic- Internet Protocol .TCP=IP/5 and then clic- Properties. 5. 4f 0btain an IP address automatically is selected5 t"pe the follo*in0 at a command prompt5 and then press %# 7: ipcon&ig =all >. 7evie* the $%& server settin0s and verif" that the" are correct. 4f the client does not have a valid #CP<4P confi0uration5 "ou can either: Aor d"namicall" confi0ured clients5 use the ipcon&ig =rene( command to manuall" force the client to rene* its 4P address confi0uration *ith the $!CP server. Aor staticall" confi0ured clients5 modif" the client #CP<4P properties to use valid confi0uration settin0s or complete its $%& confi0uration for the net*or-.