Maintaining DNS and DHCP Server Roles

  • Article

Excerpted from Microsoft Official Course 6431A, Managing and Maintaining Windows Server 2008 Network Infrastructure Servers

This lesson is part of a two-day, 300-level course focusing on managing and maintaining Windows Server 2008 server roles and security for server administrators who have a good understanding of DHCP, DNS, and other core networking services. This course is offered exclusively by Microsoft Learning Solutions Partnersand delivered by Microsoft Certified Trainers. See additional course requirements, the complete syllabus, and upcoming course dates and locations here.

 

This lesson explains the procedures you should follow to ensure your DNS and DHCP servers are operating as effectively and securely as possible.

Analyzing DNS and DHCP Security


To properly analyze DNS and DHCP security levels, use the DNS Manager to compare your deployments against these key points:

  • Zone transfers are disabled if all your zones are Active Directory integrated.
  • Zone transfers are assigned to the servers that should receive the records.
  • Servers that perform DNS forwarding are appropriately assigned.
  • DHCP servers are authorized.
  • Root servers are up-to-date on the DNS servers that perform recursive duties.
  • DNS servers that are designated as slaves do not have root server records configured.

Question: What is your schedule to perform the recommended checks?

   

Scavenging Stale Records

Scavenging relies on the defined length of the refresh and no-refresh intervals. Here is a brief description of the process:

  • The no-refresh interval is used by dynamic updates to suppress re-registration attempts from the client.
  • The refresh interval defines the point that the no-refresh interval expires and the countdown begins before the client record becomes stale and can be removed again.
  • The no-refresh interval restarts every seven days by default.
  • Re-registration attempts from clients are not accepted when the defined no-refresh interval is in effect.
  • When the no-refresh interval expires, the refresh interval begins once again.
  • The DNS client has seven days to refresh its record before it will be considered stale.
  • When the refresh interval expires, the scavenging process removes the stale records.

Now that you understand the scavenging process, here are several key points about the deployment process:

  • Scavenging must be defined on both the server and the zones.
  • The scavenging period informs the DNS server how often to check the zone for stale records, hours, or dates.
  • The scavenging period applies to the DNS server.
  • The scavenging process applies to each DNS server where scavenging is enabled.

Question: Have you considered enabling scavenging?

Using DNSLint for Analysis

The DNSLint command-line tool is a useful utility for monitoring DNS operation on a regular maintenance schedule for the following details:

  • Displays port numbers in HTML format.
  • Displays e-mail MX records to help troubleshoot e-mail problems.
  • Performs diagnostics of potential delegation problems.
  • Verifies DNS records on multiple DNS servers using an input file.
  • Verifies DNS records used for Active Directory replication.

For more information about DNSLint, refer to the Description of the DNSLint utility article on the Microsoft Help and Support Web site.

Using Audit Logging for DNS and DHCP Analysis

Some useful information can be gathered from the DHCP audit log:

  • Event ID 53 means that Active Directory is inaccessible at the time the DHCP server started, so cashed information is used to authorize the DHCP Service to start.
  • Event ID 56 indicates that the DHCP server is not authorized to start.
  • Event ID 57 indicates that another DHCP server already exists within the specified domain.

Question: Have you reviewed your audit logs lately?

Monitoring Tools for DNS and DHCP Server Roles

The Performance Monitor can be used to define server baselines for both the DNS and DHCP servers.

Lab: Managing DNS and DHCP Server Roles

Note: To perform this lab with full-hands on access, attend the full course at a Microsoft Learning Partner

Exercise 1: Evaluating the DNS and DHCP Server Roles

Scenario

The Woodgrove Bank has recently upgraded their DNS and DHCP servers to Windows Server 2008 roles. A security review has been ordered for both the DNS and DHCP roles by the Enterprise Administrator before the new server roles go into production. The installation was started by an outside consulting firm and although every effort was made to enforce a very high level of security, the final sign-off and verification was not successfully completed.

Exercise Overview

In this exercise, you will use the DNS System Check and the DHCP System Check charts to analyze the required outcome, and if changes need to be made, indicate what was done to arrive at the required outcome. The following tasks and security checks must be carried out on 6431-NYC-DC1 and 6431-NYC–SVR1.

„  Task 1: Complete the DNS System Check chart

Review the DNS system check items outlined in the following chart and document your findings.

  • Startup 6431-NYC-DC1 and logon as WoodgroveBank\Administrator with the password of Pa$$w0rd.
  • Startup 6431-NYC-SVR1 and log on as the local Administrator with the password of Pa$$w0rd.
  • For each item listed in the Required Outcome column, check the current status of the 6431-NYC-DC1 and 6431-NYC-SVR1 servers.
  • In the Current Status column, write either Pass or Fail.
  • Pass to indicate that the current status meets the required outcome.
  • Fail to indicate that the current status does NOT meet the required outcome.
  • If the current status does not meet the required outcome, in the Solution column, list the high level steps that would be required to achieve the required outcome.

DNS System Check

 

„  Task 2: Complete the DHCP System Check chart

Review the DHCP system check items outlined in the following chart and document your findings.

  • For each item listed in the Required Outcome column, check the current status of the 6431-NYC-DC1 and 6431-NYC-SVR1 servers.
  • In the Current Status column, write either Pass or Fail.
  • Pass to indicate that the current status meets the required outcome.
  • Fail to indicate that the current status does NOT meet the required outcome.
  • If the current status does not meet the required outcome, in the Solution column, list the high level steps that would be required to achieve the required outcome.

DHCP System Check

 

Results: This exercise’s successful completion results in the confirmation of the required outcomes of the DNS and DHCP System Check charts, or, listing the additional steps required to achieve the required outcomes.

Exercise 2: Adding Scavenging to the DNS Server Roles

Exercise Overview

In this exercise, you will add scavenging to the DNS Server roles in the Woodgrove Bank domain.

The main tasks for this exercise are as follows:

  1. Enable Scavenging and Aging on the 6431-NYC-DC1 DNS server.
  2. Enable Scavenging and Aging on the Forward Lookup Zone.
  3. View when a zone can start the Scavenging process.

„  Task 1: Enable Scavenging and Aging on the 6431-NYC-DC1 DNS Server

  • On 6431-NYC-DC1 and open Server Manager.
  • Expand the Roles node.
  • Open the Properties of 6431-NYC-DC1 on the DNSServer node.
  • On the Advanced tab, enable the automatic scavenging of stale records.

*Note: Both the server and the zones must enable scavenging before the process will function.

  • Accept the default scavenging period of seven days.

„  Task 2: Enable Scavenging and Aging on the Forward Lookup Zone

  • Expand the NYC-DC1, Forward Lookup Zones, and WoodgroveBank.com nodes.
  • Open the Properties of WoodgroveBank.com and complete the following steps:
  • On the General tab, select Aging.
  • In the Zones Aging/Scavenging Properties dialog box, select the Scavenge stale resource records.
  • Accept the seven day window before scavenging of stale records occurs and enable the scavenging process.
  • Close the WoodgroveBank.comProperties dialog box.

„  Task 3: View when a zone can start the Scavenging process

  • Shut down and reopen Server Manager.
  • On the DNS Server node, open the Advanced option in the View menu.
  • Open the Properties of WoodgroveBank.com Forward Lookup Zone.
  • On the General tab, select Aging. At the bottom of the Zones Aging/Scavenging Properties dialog box, the following message will display: The zone can be scavenged after the following date and time.
  • Close the Zones Aging/Scavenging Properties dialog box.

Results: After this exercise, scavenging should have been enabled.

Exercise 3: Monitoring the DNS and DHCP Server Roles

Exercise Overview

In this exercise, you will set up data collector sets for the monitoring of the DNS and DHCP server roles.

The main tasks for this exercise are as follows:

  1. Monitor the DHCP Server role with a Data Collector Set.
  2. Add selected counters and alerts.
  3. Define the Schedule.
  4. Monitor the DNS Server role with a Data Collector Set.
  5. Add selected counters and alerts.
  6. Set Schedule, Enable Service, and Test Operations.

„  Task 1: Monitor the DHCP Server role with a Data Collector Set

  • Log on to 6431-NYC-DC1, if you are not already logged on (WoodgroveBank\Administrator with the password of Pa$$w0rd).
  • Open Server Manager, if not already open.
  • Expand the Reliability and Performance node, the Diagnostic node, the Data Collector Sets node, and then select User Defined under the Data Collector Sets node.
  • Create a Data Collector Set with the following parameters:
  • Name: DHCP Baseline
  • Create manually (Advanced)
  • Add Performance counters
  • Show Description
  • Expand the DHCP V6 Server icon.

„  Task 2: Add selected counters and alerts

  • Add the following counters:
  • Requests/sec
  • Renews/sec
  • Releases/sec
  • Packets Expired/sec
  • Accept the default storage path.
  • Finish the Data Collector Set.
  • Create a new Data Collector Set from the DHCP Baseline with the following parameters:
  • Performance counter alerts
  • Show description
  • Expand the DHCP V6 Server icon.

Duplicates Dropped/sec and set the alert to Alert when Above 100

  • Finish creating the Data Collector Set and open its properties.
  • On the Alert Action tab, enable Log an entry in the application event log.
  • Close the Data Collector Set.

„  Task 3: Define the Schedule

  • From the Properties of the DHCP Baseline Data Collector Set, define the schedule with the following parameters:
  • Accept the beginning date and set the start time to the current time, Monday through Friday.
  • Stop Condition: Overall duration of two hours
  • Close the Properties dialog box.
  • Open Performance Logs & Alerts.
  • Set the Startup type to Automatic.
  • Start the DHCP Baseline Data Collector Set monitoring process.
  • Expand Reports, User Defined, DHCP Baseline, 000001 node and verify that data is being collected.
  • After a few minutes, stop the data collection process on the DHCP Baseline node.
  • Expand the Reports, User Defined, DNS Baseline, 000001 node and verify that the data was collected.

„  Task 4: Monitor the DNS Server role with a Data Collector Set

  • In Server Manager, expand the Diagnostic node.
  • Navigate to User Defined under the Data Collector Sets node.
  • Create a new Data Collector Set with the following parameters:
  • Name: DNS Baseline
  • Create manually (Advanced)
  • Performance counter and Event trace data
  • In the performance counters dialog box, the Show description check box selected
  • DNS icon is expanded

„  Task 5: Add selected counters and alerts

  • Add the following counters:
  • AXFR Success Received
  • Caching Memory
  • Database Node Memory
  • Dynamic Update Received
  • Dynamic Update Rejected
  • Recursive Queries
  • Recursive Query Failures
  • Secure Update Failure
  • Zone Transfer Failure
  • Finish creating the Data Collector Set.
  • Open the Properties of the DNS Baseline Data Collector Set.

„  Task 6: Set Schedule, Enable Service, and Test Operations

  • Set the Schedule with the following parameters:
  • Accept the beginning date and set the start time to the current time, Monday through Friday.
  • Stop Condition: Overall duration of two hours
  • Close the Properties dialog box.
  • Begin the monitoring process of the DNS Baseline Data Collector Set.
  • Expand the Reports, User Defined, DNS Baseline, 000001 node and verify that data is being collected.
  • After a few minutes, stop the data collection process on the DNS Baseline node**.**
  • Expand the Reports, User Defined, DNS Baseline, 000001 node and verify that the data was collected.
  • Keep 6431-NYC-DC1 and 6431-NYC-SVR1 running.

Results: After this exercise, DNS and DHCP baselines should have been created and deployed.

Want more? Attend the full course at a Microsoft Learning Solutions partner near you and learn how to:

  • Create a plan for managing the addition, removal, and migration of Windows Server 2008 Network Infrastructure Server roles.
  • Develop baselines for monitoring and managing Windows Server 2008 Network Infrastructure Server roles.
  • Evaluate performance baselines and establish monitoring rules, and design acceptable thresholds and alarms when problems occur.
  • Analyze the implementation and configuration of a network environment running several network policy and access server roles.
  • Plan for the implementation and configuration of a RAS.
  • Evaluate and plan for the deployment of DNS and DHCP Server roles.
  • Maintain security for network infrastructure servers.

All Microsoft Official Courses—including this one--are delivered by Microsoft Certified Trainers (MCTs)—industry-recognized experts—and offered through a network of more than 1,500 Microsoft Certified Partners for Learning Solutions (Learning Solutions partners) in more than 120 countries and regions throughout the world.

Learning Centers

More Learning Centers