Professional Documents
Culture Documents
DNS Step-by-Step Guide
DNS Step-by-Step Guide
Microsoft Corporation Published: October 2005 Authors: Andrea Weiss and Jim Groves ditors: Justin !all and Carol"n ller
Abstract
#his document can help "ou implement $omain %ame &"stem '$%&( on Microsoft) Windo*s &erver+ 200, on a small net*or-. $%& is the main *a" that Windo*s &erver 200, translates computer names to net*or- addresses. An Active $irector")/ based domain controller also can act as a $%& server that re0isters the names and addresses of computers in the domain and then provides the net*or- address of a member computer *hen 1ueried *ith the computer2s name. #his 0uide e3plains ho* to set up $%& on a simple net*or- consistin0 of a sin0le domain.
4nformation in this document5 includin0 678 and other 4nternet Web site references5 is sub9ect to chan0e *ithout notice. 6nless other*ise noted5 the e3ample companies5 or0ani:ations5 products5 domain names5 e/mail addresses5 lo0os5 people5 places5 and events depicted herein are fictitious5 and no association *ith an" real compan"5 or0ani:ation5 product5 domain name5 e/mail address5 lo0o5 person5 place5 or event is intended or should be inferred. Compl"in0 *ith all applicable cop"ri0ht la*s is the responsibilit" of the user. Without limitin0 the ri0hts under cop"ri0ht5 no part of this document ma" be reproduced5 stored in or introduced into a retrieval s"stem5 or transmitted in an" form or b" an" means 'electronic5 mechanical5 photocop"in05 recordin05 or other*ise(5 or for an" purpose5 *ithout the e3press *ritten permission of Microsoft Corporation.
Microsoft ma" have patents5 patent applications5 trademar-s5 cop"ri0hts5 or other intellectual propert" ri0hts coverin0 sub9ect matter in this document. 3cept as e3pressl" provided in an" *ritten license a0reement from Microsoft5 the furnishin0 of this document does not 0ive "ou an" license to these patents5 trademar-s5 cop"ri0hts5 or other intellectual propert".
Microsoft5 M&/$O&5 Windo*s5 Windo*s %#5 Windo*s &erver5 are either re0istered trademar-s or trademar-s of Microsoft Corporation in the 6nited &tates and<or other countries.
Contents
$%& &tep/b"/&tep Guide................................................................................................... = Contents............................................................................................................................. , $omain %ame &"stem &tep/b"/&tep Guide ..........................................................5
Plannin0 $%& ........................................................................................................ > 6nderstandin0 the $%& %amespace..............................................................................> $esi0nin0 a $%& %amespace........................................................................................ ? 4nstallin0 and Confi0urin0 Active $irector" and $%& Confi0urin0 $%& Client &ettin0s '$%& &tep/b"/&tep( ...........................................== .........................................=@
Advanced $%& Confi0uration '$%& &tep/b"/&tep( .............................................2= Addin0 7esource 7ecords............................................................................................2= Automaticall" 7emovin0 Outdated 7esource 7ecords.................................................25 Confi0urin0 a Aor*arder for 4nternet Access.................................................................2? #roubleshootin0 $%& '$%& &tep/b"/&tep( .........................................................2?
Planning DNS
$%& is the primar" method for name resolution in the Microsoft) Windo*s &erver+ 200,5 &tandard ditionE Windo*s &erver 200,5 nterprise ditionE and Windo*s &erver 200,5 $atacenter dition operatin0 s"stems 'collectivel" referred to as FWindo*s &erver 200,F in this 0uide(. $%& is a re1uirement for deplo"in0 the Active $irector") director" service. 4nte0ratin0 $%& *ith Active $irector" enables $%& servers to ta-e advanta0e of the securit"5 performance5 and fault tolerance capabilities of Active $irector". #"picall"5 "ou or0ani:e "our $%& namespace 'the association of domains5 subdomains5 and hosts( in a *a" that supports ho* "ou plan to use Active $irector" to or0ani:e the computers on "our net*or-. Aor more information about usin0 Active $irector" to or0ani:e "our net*or-5 see F$esi0nin0 the Active $irector" 8o0ical &tructureF in $esi0nin0 and $eplo"in0 $irector" and &ecurit" &ervices on Microsoft Windo*s &erver 200, #echCenter 'http:<<0o.microsoft.com<f*lin-<G8in-4dH50,>=( or on Microsoft $o*nload Center 'http:<<0o.microsoft.com<f*lin-<G8in-4dH50,>0(.
#he $%& namespace be0ins *ith a lo0ical root domain that is not named5 partl" because it is implicit in all $%& names. #he root domain in turn contains a limited number of subdomains that help or0ani:e the $%& namespace. #hese subdomains are called top/ level domains '#8$s( because the" are the hi0hest/level or most inclusive part of the $%& namespace that people use. #he names of these top/level domains are either functional or 0eo0raphical. Aunctional top/level domains su00est the purpose of the or0ani:ation that has re0istered a subdomain in the top/level domain. &ome of the most common functional top/level domain names are: #he .com top/level domain5 *hich is usuall" used to re0ister $%& domain names that belon0 to commercial entities5 such as corporations. #he .edu top/level domain5 *hich is most often used b" educational institutions5 such as colle0es and public and private schools.
" #he .0ov top/level domain5 *hich is used b" 0overnment entities5 includin0 federal5 state5 and local 0overnments. #he .net top/level domain5 *hich is often used b" or0ani:ations that provide 4nternet services5 such as 4nternet service providers '4&Ps(. #he .or0 top/level domain5 *hich is t"picall" used for private5 nonprofit or0ani:ations. Geo0raphical top/level domains indicate the countr" or re0ion *here the or0ani:ation that re0istered the domain is located. Aor e3ample5 an or0ani:ation that *ants to emphasi:e that it is located in Canada *ould re0ister its 4nternet domain name in the .ca top/level domain5 *hile an or0ani:ation that *ants to sho* that it is based in Cra:il *ould re0ister its 4nternet domain name in the .br top/level domain. Most or0ani:ations that *ant to have an 4nternet presence5 such as for a Web site or sendin0 and receivin0 e/mail5 re0ister an 4nternet domain name that is a subdomain of a top/level domain. 6suall" the" choose a subdomain name based on their or0ani:ation2s name5 such as contoso.com or microsoft.com. 7e0isterin0 an 4nternet domain name reserves the name for the e3clusive use of the or0ani:ation and confi0ures $%& servers on the 4nternet to provide the appropriate 4nternet Protocol '4P( address *hen the" are 1ueried for that name. 4n other *ords5 it creates the e1uivalent of a telephone director" entr" for the 4nternet domain name. Cut instead of providin0 a telephone number for the name5 it provides the 4P address that a computer re1uires to access the computers in the re0istered domain. #he $%& namespace is not limited to 9ust the publicl" re0istered 4nternet domain names. Or0ani:ations that have net*or-s *ith their o*n $%& servers can create domains for their internal use. As the ne3t section e3plains5 these internal $%& namespaces can be5 but are not re1uired to be5 subdomains of a public 4nternet domain name.
# 7e1uires "ou to re0ister onl" one name *ith an 4nternet name authorit" even if "ou later decide to ma-e part of "our internal namespace publicl" accessible. nsures that all of "our internal domain names are 0loball" uni1ue.
&implifies administration b" enablin0 "ou to administer internal and e3ternal domains separatel". Allo*s "ou to use a fire*all bet*een the internal and e3ternal domains to secure "our $%& deplo"ment. Aor e3ample5 an or0ani:ation that has an e3ternal domain name of contoso.com mi0ht use the internal domain name corp.contoso.com. Iou can use "our internal domain as a parent for additional child domains that "ou create to mana0e divisions *ithin "our compan"5 in cases *here "ou are deplo"in0 an Active $irector" domain for each division. Child domain names are immediatel" subordinate to the domain name of the parent. Aor e3ample5 a child domain for a manufacturin0 division that is added to the us.corp.contoso.com namespace mi0ht have the domain name manu.us.corp.contoso.com.
$% 4f "ou are deplo"in0 $%& in a private net*or- and do not plan to create an e3ternal namespace5 "ou should nevertheless consider re0isterin0 the $%& domain name that "ou create for "our internal domain. 4f "ou do not re0ister the name and later attempt to use it on the 4nternet5 or connect to a net*or- that is connected to the 4nternet5 "ou mi0ht find that the name is unavailable.
4dentif" the o*ner of a computer in the computer name. Aor e3ample5 9ohn/doe indicates that John $oe uses the computer5 and pubs/server indicates that the computer is a server that belon0s to the Publications department. Alternativel"5 select names that describe the purpose of the computer. Aor e3ample5 a file server named past/accounts/= indicates that the file server stores information related to past accounts. $o not use character case to conve" the o*ner or purpose of a computer. $%& is not case/sensitive. Match the Active $irector" domain name to the primar" $%& suffi3 of the computer name. #he primar" $%& suffi3 is the part of the $%& name that appears after the host name. Aor more information5 see F$esi0nin0 the Active $irector" 8o0ical &tructureF in $esi0nin0 and $eplo"in0 $irector" and &ecurit" &ervices on Microsoft Windo*s &erver 200, #echCenter 'http:<<0o.microsoft.com<f*lin-<G 8in-4dH50,>=( or on Microsoft $o*nload Center 'http:<<0o.microsoft.com<f*lin-<G 8in-4dH50,>0(. 6se uni1ue names for all computers in "our or0ani:ation. $o not assi0n the same computer name to different computers in different $%& domains. 6se A&C44 characters to ensure interoperabilit" *ith computers runnin0 versions of Windo*s earlier than Windo*s 2000. Aor $%& computer names5 use onl" the characters ADJ5 aD:5 0DK5 and the h"phen '/(.
$$
$2
?. On the Create Ne( Domain pa0e5 clic- Domain in a ne( &orest and then clicNe-t.
$6
K. On the Ne( Domain Name pa0e5 t"pe the full $%& name 'such as corp.contoso.com( for the ne* domain5 and then clic- Ne-t. =0. On the Net3I0S Domain Name pa0e5 verif" the %etC4O& name 'for e3ample5 CO7P(5 and then clic- Ne-t. ==. On the Database and 4og 5olders pa0e5 t"pe the location in *hich "ou *ant to install the database and lo0 folders5 or clic- 3ro(se to choose a location5 and then clic- Ne-t.
$8
=2. On the Shared System 7olume pa0e5 t"pe the location in *hich "ou *ant to install the &I&LO8 folder5 or clic- 3ro(se to choose a location5 and then clic- Ne-t.
$5
=,. On the DNS 9egistration Diagnostics pa0e5 clic- Install and con&igure the DNS ser'er on this computer: and set this computer to use this DNS ser'er as its pre&erred DNS ser'er5 and then clic- Ne-t.
=B. On the Permissions pa0e5 select one of the follo*in0: Permissions compatible (ith pre-*indo(s 2%%% Ser'er operating systems Permissions compatible only (ith *indo(s 2%%% or *indo(s Ser'er 2%%6 operating systems
$!
=5. On the Directory Ser'ices 9estore ,ode Administrator Pass(ord pa0e5 t"pe a pass*ord that *ill be used to lo0 on to the server in $irector" &ervices 7estore Mode5 confirm the pass*ord5 and then clic- Ne-t. =>. 7evie* the Summary pa0e5 and then clic- Ne-t to be0in the installation. =@. After the Active $irector" installation completes5 clic- 0; to restart the computer.
$" To con&igure DNS client settings =. At the computer that "ou are confi0urin0 to use $%&5 clic- Start5 point to Control Panel5 and then clic- Net(or< Connections. 2. 7i0ht/clic- the net*or- connection that "ou *ant to confi0ure5 and then clicProperties. ,. On the General tab5 clic- Internet Protocol .TCP=IP/5 and then clicProperties.
B. 4f "ou *ant to obtain $%& server addresses from a $!CP server5 clic0btain DNS ser'er address automatically.
$#
5. 4f "ou *ant to confi0ure $%& server addresses manuall"5 clic- Use the &ollo(ing DNS ser'er addresses5 and in Pre&erred DNS ser'er and Alternate DNS ser'er5 t"pe the 4nternet Protocol '4P( addresses of the preferred $%& server and alternate $%& server. >. Clic- 0; to e3it. Note 4t is not necessar" to restart the computer at this time if "ou intend to chan0e the computer2s name or domain membership in the follo*in0 steps. @. 4n Control Panel5 double/clic- System. ?. On the Computer Name tab5 clic- Change. K. 4n Computer name5 t"pe the name of the computer 'the host name(.
2% =0. Clic- Domain5 and then t"pe the name of the domain "ou *ant the computer to 9oin.
==. 4f Computer Name Changes appears5 in User Name5 t"pe the domain name and user name of an account that is allo*ed to 9oin computers to the domain5 and in Pass(ord5 t"pe the pass*ord of the account. &eparate the domain name and user name *ith a bac-slash 'for e3ample5 domainMuserNname(.
2$
22 1ost address .A/. Maps a computer2s $%& domain name to the computer2s 4P address. ,ail >-changer .,?/. Maps a $%& domain name to the name of a computer that e3chan0es or for*ards e/mail. Important When the Active $irector" 4nstallation Wi:ard installs and confi0ures $%& on the ne* domain controller5 it creates resource records that are necessar" for the proper operation of the $%& server on the domain controller. $o not remove or chan0e these resource records. Chan0e or remove onl" those resource records that "ou have added "ourself.
26 Important Ma-e sure that "ou correctl" t"pe the address and that it is assi0ned as a static address 'not assi0ned b" $!CP(. 4f the address is incorrect or chan0es5 client computers *ill not be able to locate the host b" usin0 $%&.
,? 9esource 9ecords
#he MO resource record is used b" e/mail applications to locate a mail server b" usin0 the $%& domain name that appears in the destination e/mail address for the recipient. Aor e3ample5 a $%& 1uer" for the name sales.corp.contoso.com can be used to find an MO resource record5 *hich enables an e/mail application to for*ard or e3chan0e mail to a user *ith the e/mail address userPsales.corp.contoso.com. #he MO resource record sho*s the full" 1ualified $%& domain name for the computer that processes e/mail for a domain. 4f multiple MO resource records e3ist5 the $%& Client service attempts to contact the e/mail servers in the order of preference usin0 the ,ail ser'er priority field. #he lo*est value has the hi0hest priorit"5 and the hi0hest value has the lo*est priorit".
28 To add a mail e-changer ,? resource record to a +one =. At the $%& server5 clic- Start5 point to Administrati'e Tools5 and then clicDNS. 2. 4n the console tree5 ri0ht/clic- the applicable :one5 and then clic- Ne( ,ail >-changer .,?/. ,. 4n 1ost or child domain5 t"pe the name of the host or domain of the mail e3chan0er for this domain onl" if it is different from the parent domainE other*ise5 leave this field blan-.
B. 4n 5ully @uali&ied domain name .5ADN/ o& mail ser'er5 t"pe the $%& domain name of an e3istin0 mail server that can function as a mail e3chan0er for the domain. 5. 4n ,ail ser'er priority5 t"pe a number bet*een 0 and >55,5 that indicates the priorit" of the mail server amon0 other mail e3chan0ers for this domain. #he
25 mailer attempts to deliver mail to servers *ith lo*er priorit" numbers before attemptin0 to deliver to servers *ith hi0her priorit" numbers.
2 B. Clic- the Ad'anced tab5 select >nable automatic sca'enging o& stale records5 and then clic- 0;.
5. On the Action menu5 clic- Set Aging=Sca'enging &or All Bones5 clicSca'enge stale resource records5 and then clic- 0;.
2!
>. 4n the Ser'er Sca'enging=Aging Con&irmation dialo0 bo35 select Apply these settings to the e-isting Acti'e Directory-enabled +ones 5 and then clic0;.
2"
2# commands on several $%& client computers and *ith several different tar0et computers5 and note the results: ping internal_host_ip_address ping internal_host_name ping Internet_host_name
*here internal_host_ip_address is the 4nternet Protocol '4P( address of a computer that e3ists in the client2s domain5 internal_host_name is the $%& domain name of the computer5 and Internet_host_name is the name of a computer that e3ists on the 4nternet. %ote that it is not important *hether an 4nternet computer responds to the ping re1uest5 onl" *hether the specified name can be resolved to an 4P address. #he results of these tests *ill su00est the nature of the problem5 as listed in the follo*in0 table.
Ping Command 9esult Possible Cause
#his mi0ht indicate that the clients cannot access the assi0ned $%& server. #his mi0ht be the result of 0eneral net*or- problems5 particularl" if ping usin0 4P addresses fails. Other*ise5 if the clients are confi0ured to obtain $%& server addresses automaticall"5 the $!CP servers on the net*or- mi0ht not be confi0ured properl". #his su00ests that host 'A( resource records or other records 'such as &7L records( do not e3ist in the $%& :one database. Chec- to ensure that the appropriate resource records e3ist and that the $%& server is properl" confi0ured to receive automatic updates5 as appropriate. 4f the tar0et host names are located in a particular child :one5 ensure that dele0ation of that :one is properl" confi0ured.
Multiple clients cannot resolve intranet names5 but can resolve 4nternet names
6%
Ping Command 9esult Possible Cause
Multiple clients cannot resolve 4nternet names5 but can resolve intranet names
#he desi0nated for*arder of the $%& domain is unavailable5 or the $%& server is not properl" confi0ured to use a for*arder. Aor more information about confi0urin0 a $%& server to use a for*arder5 see Advanced $%& Confi0uration '$%& &tep/ b"/&tep( in this 0uide. 4f the ping command usin0 4P addresses fails5 this indicates that the client computer cannot connect to the net*or- at all. nsure that the client computer is ph"sicall" connected to the net*or- and that the net*or- adapter for the computer is functionin0 properl". 4f the ping command usin0 4P addresses succeeds5 but ping cannot resolve $%& domain names5 then the #CP<4P settin0s of the client are probabl" incorrect. #o correct the settin0s5 see Confi0urin0 $%& Client &ettin0s '$%& &tep/b"/&tep( in this 0uide. 4f the client computer *as previousl" confi0ured to connect directl" to the 4nternet5 its #CP<4P properties mi0ht be confi0ured to use an e3ternal $%& server5 such as a $%& server from an 4nternet &ervice Provider '4&P(. 4n most cases5 the client should not use a $%& server from an 4&P as either the preferred or alternate $%& server5 because the $%& server at the 4&P is unable to resolve internal names. 6sin0 a $%& server from an 4&P in the #CP<4P confi0uration of a client can also cause problems *ith conflictin0 internal and e3ternal namespaces. #o correct the settin0s5 see Confi0urin0 $%& Client &ettin0s '$%& &tep/b"/&tep( in this 0uide.
One client onl" cannot resolve intranet names5 onl" 4nternet names
6$ 4f "ou have ruled out all of these potential problems for a particular client and still cannot resolve $%& names5 use the follo*in0 procedure to verif" the $%& client settin0s. To 'eri&y DNS client con&iguration in TCP=IP settings =. 8o0 on to the $%& client computer *ith the Administrator account. 2. Clic- Start5 clic- Control Panel5 and then double/clic- Net(or< Connections. ,. 4n Net(or< and Dial-up Connections5 ri0ht/clic- the local area connection that "ou *ant5 and then clic- Properties. B. 4n 4ocal Area Net(or< Connection Properties5 clic- Internet Protocol .TCP=IP/5 and then clic- Properties. 5. 4f 0btain an IP address automatically is selected5 t"pe the follo*in0 at a command prompt5 and then press %# 7: ipcon&ig =all >. 7evie* the $%& server settin0s and verif" that the" are correct. 4f the client does not have a valid #CP<4P confi0uration5 "ou can either: Aor d"namicall" confi0ured clients5 use the ipcon&ig =rene( command to manuall" force the client to rene* its 4P address confi0uration *ith the $!CP server. Aor staticall" confi0ured clients5 modif" the client #CP<4P properties to use valid confi0uration settin0s or complete its $%& confi0uration for the net*or-.