Inside Windows Server 1002003 [Electronic resources] نسخه متنی

Managing Dynamic DNS

Keeping a traditional DNS zone updated with new resource records requires lots of manual work. A large network with thousands of servers needs a full-time administrator just to manage DNS. With Dynamic DNS, clients and servers can register their A records automatically at boot time. Application servers can register SRV and other specialized records. Outdated records can be scavenged periodically to prevent clutter. It's a fairly automated process. Dynamic DNS probably won't do away with the need for full-time DNS management in a big network, but it should help rescue the administrator from a little of the tedium.

This topic covers how to enable Dynamic DNS in Windows Server 2003, how to configure security so that only trusted clients can register their resource records, and how to maintain the zone to prevent accumulating outdated records.

Configuring a Dynamic Zone

After you have installed and configured a Windows Server 2003 running DNS, enable Dynamic DNS for a particular zone as shown in Procedure 5.18.

Procedure 5.18 Configuring a Dynamic Zone

1. Open the DNS console.

2. Right-click the zone that you want to configure for Dynamic DNS and select P

   ROPERTIES from the flyout menu. The Properties window opens.

3. In the Allow Dynamic Updates drop-down box, select Yes.

4. Click OK to save the change and return to the DNS console.

5. Verify that dynamic registration works by opening a command prompt at a Windows Server 2003 client that is configured to use this DNS server and entering ipconfig /registerdns. The host record is added to the zone file automatically. You may need to refresh the console to see it.

You must configure the reverse lookup zones for dynamic updates, as well. If you fail to do this, DNS will add A records but not PTR records when new clients come online.

Managing Dynamic DNS Security

If you enable Dynamic DNS with no security options, it is possible that a computer can come online with the same name as a host that is already in the zone and overwrite the A record. This has the potential to be very disruptive. Imagine that your company post office has the name MAIN-PO. A user could bring a workstation online called MAIN-PO and DNS would obediently overwrite the A record of the post office. If it is a malicious user doing this, you have a real problem.

The only way to avoid this behavior is to integrate the zone into Active Directory and require that Dynamic DNS clients be members of the domain. This avoids overwrite problems because two computers are not permitted to have the same name in an Active Directory domain.

After a zone has been integrated into the Directory, the resource records are protected by Active Directory object security. DNS clients that are not domain members cannot dynamically register their host records. Figure 5.16 shows a System log error from the DNSAPI service on a Windows Server 2003 DNS client that has attempted to register a host record when it is not a member of the domain.

The disadvantage to this security method is that not all your desktops might be running a modern Windows client. They might not even be running Windows. You can dynamically register DHCP clients using Windows Server 2003 or Windows 2000 DHCP. See "Configuring DHCP to Support DNS" for details.

Disabling DNS on an Interface

If you do not Directory Integrate a dynamic zone, you can at least take steps to prevent outsiders from registering records on your server. If you have a DNS server with two network interfaces, for example, one connected to the public network and the other connected to the local network, you can disable DNS (and Dynamic DNS registrations) on the public interface. Do this by completing the steps in Procedure 5.19.

Procedure 5.19 Disabling DNS on an Interface

1. Open the DNS console.

2. Right-click the server icon and select P

   ROPERTIES from the flyout menu. The Properties window opens with the Interfaces tab selected.

3. Under Listen On, select the Only the Following IP Addresses option.

4. Use the Remove button to delete all but the private interface.

5. Click OK to save the new settings and return to the DNS console.

6. Close the console.

Configuring Scavenging

Dynamically registered records can become obsolete when machines crash or come on and off the network at infrequent intervals, as laptops are prone to do. When scavenging is enabled, DNS applies an aging value to dynamically registered resource records. Scavenging removes records that have not been refreshed for more than 14 days.

If you enable scavenging, the format of the zone file changes to allow room for the aging value. This is a proprietary change, so you cannot move the zone file to a non-Windows Server 2003 name server. A standard secondary can pull a zone because the DNS server will filter out the aging records.

Scavenging can be enabled for a single zone or for all zones on the server. Enable scavenging for a zone as follows in Procedure 5.20.

Procedure 5.20 Configuring Scavenging

1. Open the DNS console.

2. Right-click the zone icon and select P

   ROPERTIES from the flyout menu. The Properties window opens.

3. At the General tab, click Aging. The Zone Aging/Scavenging Properties window opens.

4. Select the Scavenge Stale Resource Records option.

5. Leave the default seven-day values for No-Refresh Interval and Refresh Interval.

6. Click OK to save the settings. A warning message appears informing you that the zone file record format will be changed.

7. Click Yes to acknowledge the warning and apply the change.

8. At the Properties window, click OK to save the changes and close the window.

From this point forward, any new dynamic registrations are assigned an aging value. Old records will be purged when scavenge runs. Set scavenging to run periodically as follows in Procedure 5.21.

Procedure 5.21 Setting Periodic Scavenging

1. Right-click the server icon and select P

   ROPERTIES from the flyout menu. The Properties window opens.

2. Select the Advanced tab (see Figure 5.17).

   Figure 5.17. DNS Server Properties windowAdvanced tab showing automatic scavenging enabled.

   

3. Select the Enable Automatic Scavenging of Stale Records option.

4. Leave the Scavenging Period set for the default of seven days.

5. Click OK to save the settings and close the window.

You should arrange to check the status of the zone file periodically to make sure that scavenge is working. If you see many old records that should have been scavenged, try scavenging them manually. If that succeeds, check your periodic scavenging settings. If it does not succeed, make sure that you have correctly configured scavenging to work for the zone.

WINS Forwarding

Although WINS forwarding is not strictly a Dynamic DNS feature, it is covered here because it provides essentially the same service.

In NT4 DNS, Microsoft introduced a couple of new DNS resource records, WINS and WINS-R, that contain the IP address of a WINS server to use in the event that a host address cannot be located in the local zone file. This record is added and configured using a special properties page in the zone properties. Access the page by right-clicking the zone icon and selecting P

ROPERTIES from the flyout menu and then selecting the WINS tab. A similar page for the WINS-R record is present in the Properties window for a reverse lookup zone. Figure 5.18 shows an example.

The Use WINS Forward Lookup option is disabled by default. When selected, it creates a WINS resource record. A Windows Server 2003 running DNS recognizes this WINS record and uses it to locate a WINS server to use for forwarding.

If you elect to use WINS forwarding, add the IP address of at least one WINS server to the list by entering the IP address and clicking Add. You can specify more than one WINS server for fault tolerance.

The Do No Replicate This Record option is not selected by default. It prevents replicating the WINS record to DNS servers that do not recognize the record type