Tuesday, April 14, 2009

Microsoft DNS

Windows 2000 DHCP clients register forward lookup entries (A record) by default. The DHCP server registers forward (A) and reverse (PTR) DNS records.

Windows 2000 computers can register their IP address and names with the network DNS server that supports dynamic updates (Not all DNS servers support dynamic updates, but Windows 2000 DNS servers do). Other operating systems other than Windows 2000 can not register their IP address and names with DNS dynamically. A Windows DHCP server can be configured to register assigned IP address and host names with the DNS server which can support dynamic updates. Heres the procedure on the DHCP server:

  1. Run the administrative tool, "DHCP" and highlight the DHCP server.
  2. Select "Action" and "Properties".
  3. Click the DNS tab.
  4. Select the checkbox, "Enable updates for DNS clients that do not support dynamic update". Select the "Always update DNS" checkbox to have the DHCP server update DNS, even for Windows 2000 systems.

WINS Replicatio

When two WINS servers are configured to communicate with each other replication occurs any time the data base on one of them changes. Servers are configured as a push or pull partner. A server can be both a push and pull partner. Push partners send update notices when a database change is made. A pull partner asks push partners for database entries more recent than their current listings. Only changes are replicated. Pull servers are used across slow links since pull requests can be set for specific times.
  • A pull server will pull updates when it is started, then at chosen times thereafter.
  • A push partner will send updates when a change threshold is reached. A thershold and update interval may be set.

Windows 2000 DNS

In Windows 2000, DNS is required to use Active Directory.

Domain Name Service is used to change internet domain and computer computer names into IP addresses and vice versa. DNS works at the application layer and uses TCP and UDP for transport. TCP is only used if returned data is truncated. See the DNS section in the Networking Guide for information about DNS. DNS was originally based on HOSTS files that were maintained by a centralized Network Information Center. Today of is based on a hierarchy of servers with a distributed hierarchial database throughout the network or internet.

DNS Levels

DNS is a hierarchial naming structure with the following levels:

  • Root designated by a dot (.).
  • First level - This indicates country or type of organization such as "org", "com", and "net".
  • Second level - Indicates the organization name and can be purchased for a yearly fee.

Notice that the highest level of the domain is listed last. An example of a domain name that you may be familiar with is:

comptechdoc.org.

DNS Operation

DNS Servers

On the client side, a DNS resolver is used to send queries to DNS servers. The resolver is normally part of a library routine or it is built into the application. DNS uses zone files to keep name and IP address database information for the internet domain or hierarchial set of domains. Zones are a storage of information in a file for a DNS domain or DNS subdomains (DNS domains are not the same as Windows domains). DNS does not yet support dynamic configuration but has been modified for Windows systems to do so. Different aliases may be created by the administrator for the same host. Three types of name servers as defined by how it relates to the zone information:

  • Primary - Locally stored files exist on the name server data base. The master zone file copy is stored here.
  • Secondary - Gets data called a zone transfer from another server that is the zone authority.
  • Caching Only - Caches name server information and does not contain its own files.

A primary and secondary name server should be used on a network. When a zone is defined, some server must be configured to be a master name server for the zone. There can be different master name servers for different zones. The master server provides copies of the zone information to the secondary DNS server. Name servers can be configured to get information from other name servers when the information is not found in the local database. These types are forwarders and slaves. Name servers as categorized by function:

  • Master - The zone authority that contains the master zone files.
  • Forwarders - A name server that passes name resolution requests to other name servers. This configuration is done on a per server basis.
  • Slaves - Slave name servers are configured to use forwarders.

Windows introduces additional terminalogy:

  • Standard primary - The same as a primary DNS server listed above. This is a master server by function.
  • Active Directory Integrated (primary) - DNS entries are stored with Active Directory data rather than a normal zone file. More than one of these Active Directory primary servers may exist due to Active directory replication. This term is used to refer to both the Active Directory Integrated zones and files that support the zone.
  • Standard secondary - The same as a secondary DNS server listed above. This is a slave server by function.
  • Root server - The server that has the DNS data for the root zone. The root zone is the organization internal network root zone or internet root zone. It is used when a private network is not directly on the internet (no connection or via proxy server).

If the DNS server is connected to the internet, the DNS Server Wizard will not allow the DNS server to be configured as a root server.

Queries

Query types are:

  • Inverse - Getting the name from the IP address. These are used by servers as a security check.
  • Iterative - Server gives its best answer. This type of inquiry is sent from one server to another.
  • Recursive - Cannot refer the query to another name server.

Zone Transfers

The DNS zone file serial number is used to trach DNS changes. The notify function is used to initiate zone transfers. Zone transfer types are:

  • Full - AXFR Query - Secondary server refresh interval expires and it sends an AXFR qurey.
  • Incremental - IXFR query - Only new or updated entries are copied.

DNS Zones

Possible zones include:

  • Forward lookup zone - Name to IP address map.
  • Reverse lookup zone - IP address to name map.
  • Standard primary zone (primary zone) - A master copy of a forward or reverse lookup zone.
  • Active Directory integrated zone - A copy of a standard primary or Active Directory integrated zone. The IP address and computer name is stored in Active Directory and replicated to all local domain controllers. DNS information is not replicated to domain controllers outside the domain.
  • Standard secondary zone (secondary zone)

WINS Database

When a client is turned off, it releases its name, but there is a WINS extinction interval that allows the record to remain for some period of time in case the client is turned on again (as in the case of a reboot). The extinction interval reservs the record for some period so other clients cannot use it until the interval expires. WINS files are in SystemRoot\System32\Wins. A file names WINS.MDB is used to store a WINS database which can be backed up and repaired. The WINS service will back up the database every three hours (by default) to the configured backup path. Version numbers can be used to backup minor changes. The only way to replace a new copy with an older copy is to delete the old database copy first. The easy way to restore a database is to force replication from a WINS partner with a good copy of the database.

The database contains the following records:

  • Renewal interval - Equivalent to the DHCP lease interval, it is the amount of time for the client to re-register the NetBIOS name before it is released.
  • Extinction interval - The time a releast record exists before being tombstoned.
  • Extinction timeout - The time a tombstoned record exists before being erased.
  • Verification interval - The time an active record exists before being verified with the name owner.

WINS Proxy Agent

A WINS proxy agent can be configured to act as a relay for non-WINS clients. The WINS proxy agent can intercept client broadcast requests, forward them to a WINS server and return the response. It may also reply with the response without contacting the WINS server if the required information is in its cache. One WINS proxy is used on each subnet that has non-WINS clients. This means that machines that are not using WINS (Even Windows machines such as those without TCP/IP) can use a proxy agent to let them find resources on other subnets. There should be a maximum of two proxy agents per subnet. The agent must be a Windows based client, not a server. When NetBIOSs names are registered, both the proxy agent and the WINS server checks the name. The proxy agent is configured at the following registry location:

Hkey_Local_Machine\System\CurrentControlSet\Services\NetBT\Parameters

Set the EnableProxy parameter to REG_DWORD value of 1 and restart the computer.

WINS Operation

When a NetBIOS broadcast is to go out, a computer sends over TCP/IP to a WINS server to resolve NetBIOS names. WINS dynamically builds its database. When a client uses WINS it announces to the WINS server over TCP/IP rather than broadcasting to all computers. WINS Message Modes:

  • Client Name Registration - When a client service is started, the appropriate NetBIOS name for that service, for all NetBIOS processes (Using the hidden 16th byte) is sent to the WINS server. If the registration fails, the client retries every ten minutes. If the primary WINS server fails to respond, the request is sent to the secondary WINS server after three tries. If no WINS server responds, B-node broadcasts are used by the client. When contacted, the WINS server returns a time to live (TTL) field containing the length of time the client may use that name. If a duplicate name is received, the server sends a wait for acknowledgement (WACK) to the registering client. Then a challenge is sent by the server to the registered client. If the current owner responds correctly, the new client request is rejected.
  • Client Lease Renewal - When the name lease is at 50%, the client sends a name renewal request to the WINS server with its name and IP address. When the lease is 7/8 up, the client will try again then attempt a lease with the secondary WINS server. After 4 attempts with the secondary WINS server, it attempts lease renewal with the primary WINS server again.
  • Client Name Release - The client sends a name release message with its name and IP address. The server responds with a positive release message. If no confirmation is received by the client a NetBIOS broadcast release is sent up to three times.
  • Server Name Query and Name Resolution response - With WINS server on the network, resolution is done using H-node on UDP port 137 (NetBIOS Name Service). Name query order:
    1. Local cache
    2. WINS server (primary then secondary, two times).
    3. Broadcast
    4. Lmhosts file
    5. Hosts file
    6. DNS

Windows 2000 WINS

Windows 2000 WINS

The purpose of WINS is to allow a NetBIOS name to be converted to an IP address. Therefore computers using WINS must be using NBT (NetBIOS over TCP/IP). WINS was originally put in place to compensate for a shortcoming of NetBEUI which is the fact that it is not routable. Therefore on large Networks IP is used to transport NetBIOS and rather than using broadcasts, information is sent to the WINS server.

WINS converts Windows computer names to IP addresses but does not do name lookups based on IP addresses. The use of Windows Explorer or NET commands invokes the NetBIOS interface. NetBIOS names, if repeated on another domain that is on the network, may cause a problem since there is no way to distinguish NetBIOS names between two domains. Each computer, when booted, sends a name registration broadcast. If there is no response, the computer will use the name it registered. A NetBIOS broadcast releases the computer name when the computer is shutdown gracefully.

WINS reduces this broadcast traffic when using NBT. The registration and release is sent to the WINS server rather than being broadcast. The clients have the IP address of the WINS server and they are configured to use WINS before using NetBIOS broadcasts. A backup WINS server may be available on the network for fault tolerance.

Five NBT Name Resolution Methods

  • B-node - broadcast - Uses UDP broadcast datagrams. Default node type.
  • P-node - Peer to peer - Uses a NetBIOS name server such as WINS. If a WINS server is not available, broadcasts are not used as a backup. The WINS IP address must be specified at each client?
  • M-node - Mixed - Tries B-node, then P-node resolution.
  • H-node - Hybrid - Tries P-node, then B-node resolution. After this attempt for Windows 2000, LMHOSTS and HOSTS files are used, then the DNS server is used.
  • Microsoft enhanced B-node - Checks address cache which is loaded brom the lmhosts file when the system boots. After checking address cache, a broadcast is sent, then the lmhost file is checked if broadcasting did not resolve the query.

create and configure an Active Directory site

This article describes how to create and configure an Active Directory site in a Windows 2000-based environment. The procedures in this article must be performed by a member of the Administrators group on a Windows 2000 Server-based computer. For additional conceptual information about sites, see the "Reference" section in this article.

How to Create a Site
1. Click Start , point to Programs , point to Administrative Tools , and then click Active Directory Sites and Services.
2. In the console tree, right-click the Sites folder, and then click New Site .
3. In the Name box, type the name for the new site.
4. Under Link Name , click a site link object, and then click OK .


How to Associate a Subnet with the New Site

1. In the Active Directory Sites and Services console tree, right-click the subnet with which you want to associate the site, and then click Properties .
2. In the Site box, click the new site, and then click OK .

How to Move a Domain Controller to the New Site
1. In the Active Directory Sites and Services console tree, right-click the domain controller that you want to move to a different site, and then click Move .
2. In the Move Server dialog box, click the site to which you want to move the domain controller, and then click OK .
Note that you can also use this procedure to move servers between sites.


How to Delegate Control
1. In the Active Directory Sites and Services console tree, right-click the container whose control you want to delegate, and then click Delegate control to start the Delegation of Control wizard.
2. In the Delegation of Control wizard, click Next to continue.
3. Click Add .
4. In the Name box, click the appropriate user or group, and then click Add . Repeat this step for all users or groups that you want to add, and then click OK .
Note that you can delegate control for the Subnets, Inter-Site Transports, Sites, and Server containers by using the Active Directory Sites and Services tool. You can delegate control of an object to specify who has permission to access or modify that object or its child objects.










SUMMARY
This step-by-step article describes how to create and configure a site link in Active Directory. Note that for the site link to become active, there must be at least two sites available in Active Directory.

A Site Link object represents a set of sites that can communicate at uniform cost through an inter-site transport. For IP transport, a typical site link connects just two sites and corresponds to an actual wide area network (WAN) link. An IP site link that connects more than two sites might correspond to an asynchronous transfer mode (ATM) backbone that connects more than two clusters of buildings on a large campus, or several offices in a large metropolitan area that are connected through leased lines and IP routers.

back to the top
Requirements
The procedure in this article uses the Active Directory Sites and Services snap-in. You can use this snap-in only from a computer that has access to a Windows 2000-based domain. The Active Directory Sites and Services snap-in is installed on all Windows 2000-based domain controllers. To use the Active Directory Sites and Services snap-in on a computer that is not a domain controller, such as a computer that runs Microsoft Windows 2000 Professional, install the Windows 2000 Administration Tools package.

back to the top
How to Create a Site Link
To create a new site link:
1. Click Start , point to Programs , point to Administrative Tools , and then click Active Directory Sites and Services.
2. Expand the Inter-Site Transports node (if it is not already expanded), right-click IP (or click SMTP if you want to use SMTP as the inter-site transport protocol), and then click New Site Link .

NOTE : If you have only one site in Active Directory, you receive a message that states that two sites are required for the site link to work. Click OK to continue.

You then see your new link in the Details pane if you click the IP node in the Inter-Site Transports node (or in the SMTP node if you created the link with the SMTP transport.)

Rename the DC

If the DC's domain level is set to "Windows Server 2003," you can use the Netdom tool to rename the DC. Microsoft supplies Netdom as part of the Windows Support Tools, which are available from the Windows 2003 installation CD-ROM. To rename the DC using Netdom, perform the following steps:
1. Start a command-prompt session.
2. Add the new name to the current server (it will now have two names) by typing
3. netdom computername address> /add:
For example, when I typed
netdom computername gotham.savilltech.com /add:omega.savilltech.com
my computer displayed the following message:
Successfully added omega.savilltech.com as an alternate
name for the computer.

The command completed successfully.
4. If multiple DNS servers are used, you must wait until the new name replicates to all authoritative DCs. After the new name has replicated, continue to the next step.
5. Make the new name the primary name for the machine by typing
6. netdom computername computer name/IP address> /makeprimary:
For example, when I typed
netdom computername
gotham.savilltech.com /makeprimary:omega.savilltech.com
my computer displayed the following message:
Successfully made omega.savilltech.com the primary
name for the computer. The computer must be rebooted for
this name change to take effect. Until then this computer
may not be able to authenticate users and other computers,
and may not be authenticated by other computers in the
forest. The specified new name was removed from the list
of alternate computer names. The primary computer name will
be set to the specified new name after the reboot.

The command completed successfully.
7. Reboot the computer.
8. After you reboot the machine, wait until all the domain locator records replicate to all authoritative DNS servers. After the replication is complete, check to ensure that the rename worked successfully by checking the name on the Computer Name tab of the Control Panel System applet. You can also view all computer names by typing
netdom computername /enumerate
For example, when I typed
netdom computername omega.savilltech.com /enum
my computer displayed the following:
All of the names for the computer are:
omega.savilltech.com
gotham.savilltech.com

The command completed successfully.
9. You can now remove the old name by typing
10. netdom computername /remove:name>
For example, when I typed
netdom computername
omega.savilltech.com /remove:gotham.savilltech.com
my computer displayed the following:
Successfully removed gotham.savilltech.com as an alternate
name for the computer.

The command completed successfully.
You can enumerate the names again to show the old name has been removed.

DISCLAIMER

WE USE LINKS TO SITES AND NOT DIRECT DOWNLOAD LINKS. THERE NO FILES HOSTED ON OUR SERVER,THEY ARE ONLY INDEXED MUCH LIKE GOOGLEWORKS.
The hosting server or the administrator cannot be held responsible for the contents of any linked sites or any link contained in a linked site, or changes / updates to such sites.

BY ENTERING THIS SITE YOU AGREE TO BE BOUND BY THESE CONDITIONS
If you don't like the software posted here, please don't hesitate to let us know and we will unpost it.