Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Professional Windows Server 1002003 Security A Technical Reference [Electronic resources] - نسخه متنی

Roberta Bragg

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Table of Contents
Index
Reviews
Reader Reviews
Errata

Windows Server 2003 in a Nutshell
By Publisher: O''Reilly
Pub Date: September 2003
ISBN: 0-596-00404-4
Pages: 662

Microsoft has introduced the right server for a world now dominated by highly distributed systems and web-based server applications, and O''Reilly

Windows Server 2003 in a Nutshell is the most thorough and practical reference to this important new server. With complete coverage of both the GUI and Command line features, functions and commands, as well as tips and notes detailing subtle points and potential "gotchas", this book will quickly earn a permanent place on your desk top.

توضیحات
افزودن یادداشت جدید









DNSTasks

DNS administration tasks are performed using the DNS console, which
can be opened by either:

Start Programs Administrative Tools
DNS

Command line dnsmgmt.msc

In addition, many DNS administration tasks can also be performed from
the command line using the following utilities found in

DEPLOY.CAB in the

\SUPPORT\TOOLS folder on your product CD:

Dnscmd



Particularly useful for scripted administration of DNS servers


DNSLint



Can be used to diagnose and repair problems caused by missing or
incorrect DNS records in a domain environment



Install DNS Manually


On a standalone server,
first
open the TCP/IP Properties sheet for your Local Area Connection,
assign your server a static IP address, and specify the
server's own IP address as its preferred DNS server.
Then install the DNS service using Add or Remove Programs in Control
Panel. Finally, configure your new name server by creating forward-
and reverse-lookup zones; adding A, PTR, or other records to your
zones; configuring zone transfers with other DNS servers; and so on.
These tasks are described later in this section.

Install DNS Using Wizard


Start Manage Your Server Add or Remove Role

If your server is going to

be the first server in your
forest, select Typical Setup for a First Server as the role and
follow the prompts. The wizard suggests a DNS name of the form

organization.local for your root domain, where

organization is the company name you specified
when you installed WS2003 on your machine. The wizard also creates
the necessary forward- and reverse-lookup zones automatically and
allows you to specify the IP address of your ISP's
name server as a forwarder for resolving hosts on the Internet.

If your server will be a standalone name server, select DNS Server as
the role, and the Configure a DNS Server Wizard leads you through the
process of creating forward- and reverse-lookup zones for your
domain. If you abort the wizard, DNS is installed, but you have to
create your zones manually using the DNS console.

Create a Forward-Lookup Zone


Right-click on Forward Lookup Zones New Zone

This starts the New Zone Wizard. The

path through the wizard depends on the type
of zone you create and whether Active Directory is installed. On
standalone servers the process is simple. For example, to create a
primary zone:

Primary zone specify DNS name disable dynamic updates for optimal security

To create a secondary or stub zone:

Secondary or stub zone specify DNS name specify IP address of master name server from which zone information will be obtained

If Active Directory-integrated zones are being used, extra steps are
involved. For example, to create a primary zone:

Primary zone specify DNS replication scope specify DNS name enable dynamic updates for easiest administration

The replication scope defines the other name servers your machine
will perform zone transfers with and can be forestwide, domainwide,
domain controllers only, or an Active Directory partition. The
default is all domain controllers in the local domain.

Secondary zones aren't stored in Active Directory,
so the procedure is the same as for standalone servers. Stub zones
may or may not be stored in Active Directory as desired.

Create a Reverse-Lookup Zone


Right-click on Reverse Lookup Zones New Zone

The rest is the same as creating a

forward-lookup zone, except instead of
specifying a zone name, you specify a network ID, and the wizard
automatically creates the name for the zone in the standard

in-addr.arpa format. For example, if you specify
172.16.13 as the network ID, the reverse-lookup zone is automatically
named

13.16.172.in-addr.arpa .

Convert a Zone


You can convert a zone from one

type
to anotherfor example, from primary to secondaryby:

Right-click on zone Properties General Change (Type) specify new zone type

You can convert a primary zone to an Active Directory-integrated zone
only if the name server is a domain controller.

Configure Zone Transfer/Replication


To manually configure zone
transfer:

Right-click on zone Properties Zone Transfers enable zone transfer specify who can request zone transfers

By default, zone transfers are enabled on standalone name servers but
are allowed only for name servers listed on the Name Servers tab. If
desired, you can instead specify IP addresses of servers allowed to
request zone transfers or allow any server to request a zone
transfer, which is a security risk. By default, your name server also
notifies all servers on the Name Servers tab when updates are
available. Additional configuration of zone transfer can be performed
using the Start of Authority (SOA) tab, where you can specify:

Refresh interval



This specifies how often a secondary name server contacts its master
name server for zone updates, which by default is every 15 minutes.


Retry interval



This specifies how long a secondary server waits before attempting to
contact a master name server after a failed attempt at contacting it,
which by default is every 10 minutes.


Expire interval



This specifies how long the secondary server retries before it stops
responding to client requests for name resolution, as the second
server's DNS information is probably out-of-date.
The default is one day.


Minimum TTL



This specifies the amount of time during which the DNS server caches
information it receives from other name servers in response to a
recursive query it issues. Making the TTL smaller makes the DNS
database information more consistent across the various DNS servers
for the zone, but it also increases DNS network traffic and the load
on the DNS servers. WS2003 DNS servers can also cache negative
responses to name-query requests.




On stable networks whose configuration doesn't
frequently change, you can try increasing the zone-transfer settings
to reduce zone-transfer traffic. If name resolution starts to become
erratic on the network, lower the settings again.

Zone transfer
is configured differently for Active Directory-integrated zones:

Right-click on zone Properties General Change (Replication) specify replication scope

In addition, you can manually specify zone transfers with name
servers that don't use Active Directory-integrated
zones.

Force Zone Transfer/Replication


To force a name server to update a secondary zone from a master name
server:

Right-click on secondary zone Transfer from master

The option to reload from a master forces a full zone transfer
instead of an incremental one. To force a master name server to
notify its secondary name servers that they should contact it to
initiate a zone transfer:

Right-click on a zone Properties Start of Authority (SOA) Increment

This increments the version number of the zone on the master name
server, indicating to secondary servers that the zone has been
updated and that they should initiate a zone transfer with the
primary.

If you are using Active Directory-integrated zones exclusively (that
is, all your DNS servers are domain controllers), you can force a
zone transfer with another DNS server by forcing Active Directory
replication to occur. To do this, open Active Directory Sites and
Services from Administrative Tools and expand the following nodes in
the console tree:

Root node Sites select a site Servers select target DNS server (domain controller) NDTS settings

Right-click on the object in the details pane that represents the
link to the DNS server that you want to immediately replicate, and

select
Replicate Now.

Add a Resource Record


You can manually create
resource records in a zone by
right-clicking on a zone and specifying one of the following:

New Host



Creates an A record for a host. This option is available only for
forward-lookup zones, and you can optionally create an associated PTR
record simultaneously.


New Pointer



Creates a PTR record for a host. This option is available only for
reverse-lookup zones.


New Alias



Creates a CNAME record to map an alias to a host.


New Mail Exchanger



Creates an MX record for an SMTP mail-forwarding host.


Other New Records



Lets you create any type of resource record (use this mainly to
create NS records).



Once you create a resource record, you can modify it by:

Select zone double-click on resource record

Create a Subdomain


Right-click on zone New Domain specify name of subdomain

For example, if your existing

zone is authoritative for the

mtit.com domain, you can create a subdomain
called

sales within the same zone. You need to
specify only the name

sales for the new
subdomain, not the full name

sales.mtit.com .
Creating subdomains is a way of adding structure to the DNS namespace
of your company.

Configure a Forwarder


To configure a name server

to forward queries that
can't be resolved locally to a different name server
(that is, to a forwarder):

Right-click on DNS server Properties Forwarders specify IP addresses of forwarders

If you specify more than one forwarder, they are tried in order until
one is contacted within the specified forward time-out period. When a
DNS server configured to use a forwarder receives a name query that
it can't resolve itself, it sends the query to the
forwarder to handle. If the forwarder can't resolve
the name, it returns a failure message to the original DNS server.
The original DNS server can then either:

  • Simply pass the failure message to the client that issued the query
    (i.e., iterative behavior)

  • Attempt to resolve the query itself from its own zone information
    (i.e., recursive behavior)


To choose the first option, on the Forwarders tab of the DNS
server's properties sheet, select the checkbox
"Do not use recursion." This makes
your DNS server simply send all queries to the forwarder.


Note that you can now specify that the forwarder be used only for
specific DNS domains (the default is any domain). This feature, known
as conditional forwarding, is new to WS2003. Conditional forwarders
can be used to set up more efficient forwarding paths in your company
if you support several zones.

Configure a Caching-Only Name Server


Simply install the DNS Server service on a WS2003 machine and
don't configure any forward- or reverse-lookup zones
on it!

Configure Scavenging


Right-click on DNS server Set Aging/Scavenging for all zones Scavenge stale resource records

Scavenging removes stale
resource
records from the DNS database. This is important if you are using
dynamic updates to maintain your DNS database. For example, if a DNS
client configured to use dynamic updates shuts down improperly (for
example, by turning the power off or removing the cable from its
network card), the DNS server is not aware that the client is gone
and still resolves names directed toward the client. If the client
shuts down smoothly, its resource records are deleted from the DNS
database when dynamic updates are used.

You can manually initiate scavenging by:

Right-click on DNS server Scavenge stale resource records


Be careful with enabling scavenging. If it is not configured
properly, you may end up deleting resource records that should have
been retained. Scavenging can be enabled on a per-server, per-zone,
or per-record basis. See the

Windows Server 2003

Resource

Kit for more
information on configuring DNS scavenging.

Monitor a DNS Server


WS2003 DNS servers can
perform
self-monitoring actions on a scheduled basis to ensure they are
functioning properly. To configure monitoring:

Right-click on DNS server Properties Monitoring select type of test specify test interval

A simple query means the DNS server must return a response without
querying any other name servers. Selecting recursive query means that
your DNS server can recursively query other name servers if
necessary, which is a more complex test to perform and interpret. You
can also click Test Now to perform a test manually. Test results are
PASS or FAIL.

Specify Boot Method


Right-click on DNS server Properties Advanced Load zone data on startup select from where

Here are the
possibilities:

From registry



The default on WS2003 when Active Directory-integrated zones
aren't used.


From file



The option to store your name server configuration information in a
boot file, an ASCII text file that uses BIND 4 format. You
don't need this file for DNS on WS2003, but if you
are importing your DNS information from an existing BIND 4.x.x name
server, you can port the boot file from the BIND server to the WS2003
name server and then specify the setting described earlier.


From Active Directory and registry



The default on WS2003 domain controllers.



Update Server Datafiles


At predefined update

intervals, DNS servers automatically
write changes in standard primary zones to their associated zone
files on the server's disk. This information is also
written to disk when a DNS server is shut down. To immediately write
changes in standard primary zones to their associated zone files on
the server's disk:

Right-click DNS server Update Server Data Files

When you make a change to an Active Directory-integrated zone, the
information is written immediately to Active Directorythe
Update Server Data Files option has no effect for these zones.

Clear the DNS Server Cache


Right-click on DNS server Clear cache

This removes all
resolved names from the server cache. The
server cache contains information received from other name servers in
response to recursive queries it has issued. You might clear the
server cache after you manually modify existing resource records
within a zone (for example, if servers had their IP addresses
changed). This will ensure that DNS clients querying the server will
have names resolved from zone data and not from a stale server cache.


The server cache on a DNS server and the resolver cache on a DNS
client are two different things, although both are present on a DNS
server (since every DNS server must also be a DNS client).

Configure DNS Clients


The procedure you will use

to
configure client computers to contact DNS servers for name resolution
depends on the type of operating system on the client and whether
DHCP or static IP addressing is used. The actual steps will vary,
depending on which version of Microsoft Windows your clients are
running, but some general guidelines are as follows.

Clients Using Static Addresses


Configure the following information on the client computer:

  • Specify the IP address of the primary (and possibly a secondary) DNS
    server.

  • Specify a list of DNS suffixes that should be appended to unqualified
    DNS names to try to resolve them (optional).

  • Enable the client to register its IP address with the DNS server
    using DNS dynamic updates (W2K/2003/XP clients only).


On W2K/2003/XP clients, dynamic updates are configured by default.

Clients Using DHCP


Configure the following information on the client computer:

  • Enable DHCP on the client.

  • Enable dynamic updates on the client by selecting the checkbox to
    register the connection's addresses in DNS
    (W2K/2003/XP clients only).


Configure the following information on the DHCP server:

  • Specify the IP addresses of primary and alternate DNS servers with
    DHCP option 6.

  • If desired, specify a list of DNS suffixes that should be appended to
    unqualified DNS names to try to resolve them. Only one suffix can be
    assigned using DHCP option 15; others have to be manually assigned at
    the client.


New to WS2003 is the fact that Group Policy now lets you configure
DNS on W2K/2003/XP clients by enabling/disabling dynamic updates,
specifying a DNS suffix, and so on. These new policy settings are
found under Computer Configuration Administrative
Templates Network DNS Client.

Enable Dynamic Updates


To allow a zone to be

automatically
updated by dynamic updates:

Right-click on a zone Properties General Dynamic updates select option

On standalone name servers your options are None (the default) or
Nonsecure and Secure (not recommended). For Active
Directory-integrated zones you have a third option, Secure Only,
which is the default and is recommended. Once you enable dynamic
updates on the name server, you also need to enable it on the client.
W2K/2003/XP clients belonging to a Windows 2003/2000 domain and using
DHCP are configured to use dynamic updates by default. This can be
toggled on or off by:

Right-click on My Network Places Properties right-click on Local-Area Connection Properties select Internet Protocol (TCP/IP) Properties Advanced DNS select/deselect Register this connection's addresses in DNS

W2K/2003/XP machines dynamically reregister their A resource records
with the DNS server every 24 hours or when a DHCP lease is renewed, a
new lease is obtained, the TCP/IP configuration on the client
changes, an IP address is added or removed for a static adapter, or a
Plug and Play event occurs. If a DHCP lease expires, the client also
deregisters its A record with DNS servers. You can force a client to
reregister its A record with DNS servers with
ipconfig /registerdns at the
command line on the client. With NT clients that use DHCP to perform
dynamic updates, use ipconfig
/release and ipconfig
/renew instead.

Preload Resolver Cache


You can speed up name
queries to
frequently accessed hosts by preloading the client resolver cache. On
WS2003 clients, for example, open the

Hosts file
located in

%SystemRoot%\System32\drivers\etc and
add hostname-to-IP-address mappings using the format outlined in the
file. When the client tries to resolve a name, it tries its local
resolver cache first; if this fails, it then contacts a name server.
You can verify that these entries have been preloaded into the client
cache by using the ipconfig
/displaydns command from a command prompt on the
client. The downside of this procedure is that name-resolution data
on your clients could become stale if you make changes to your server
infrastructure often.

Flush the Resolver Cache


On a DNS client you can
flush the
contents of the resolver cache (the cached responses from a name
query the client issued) using ipconfig
/flushdns at the command line. You can do this if
its contents become stale (for example, after you modify existing
records on DNS servers).

View the Resolver Cache


In order to see what
information is
stored in the resolver cache on a DNS client, type
ipconfig /displaydns at
the command line. This displays both:

  • Information received from name servers in response to recently issued
    name queries by the client

  • Preloaded hostname-to-IP-address mappings from the
    client's local

    Hosts file


The entries in the cache age and expire when the TTLs associated with
their records on the name server expire (entries in

Hosts don't expire).


/ 415