Chapter 19 - Optimizing DNS

  • Article

This chapter discusses the techniques you'll use to set up and manage DNS (Domain Name System) on a network. DNS is a name resolution service that resolves computer names to IP addresses. Using DNS, the fully qualified host name omega.microsoft.com*,* for example, could be resolved to an IP address, which enables computers to find one another. DNS operates over the Transmission Control Protocol/Internet Protocol (TCP/IP) protocol stack and can be integrated with Windows Internet Naming Service (WINS), Dynamic Host Configuration Protocol (DHCP), and Active Directory directory service. Full integration with these Microsoft Windows networking features allows you to optimize DNS for Windows 2000 domains.

On This Page

Understanding DNS Installing DNS Servers Managing DNS Servers Managing DNS Records Updating Zone Properties and the SOA Record Managing DNS Server Configuration and Security Integrating WINS with DNS

Understanding DNS

DNS organizes groups of computers into domains. These domains are organized into a hierarchical structure, which can be defined on an Internet-wide basis for public networks or on an enterprise-wide basis for private networks (also known as intranets and extranets). The various levels within the hierarchy identify individual computers, organizational domains, and top-level domains. For the fully qualified host name omega.microsoft.com, omega represents the host name for an individual computer, Microsoft is the organizational domain, and com is the top-level domain.

Top-level domains are at the root of the DNS hierarchy and are therefore also called root domains. These domains are organized geographically, by organization type and by function. Normal domains, such as microsoft.com, are also referred to as parent domains. They are called parent domains because they're the parents of an organizational structure. Parent domains can be divided into subdomains, which can be used for groups or departments within an organization. Subdomains are often referred to as child domains. For example, the fully qualified domain name for a computer within a human resources group could be designated as jacob.hr.microsoft.com. Here, jacob is the host name, hr is the child domain, and microsoft.com is the parent domain.

Integrating Active Directory and DNS

As stated in Chapter 5, Active Directory domains use DNS to implement their naming structure and hierarchy. Active Directory directory service and DNS are tightly integrated, so much so that you must install DNS on the network before you can install Active Directory.

During installation of the first domain controller on an Active Directory network, you'll have the opportunity to automatically install DNS if a DNS server can't be found on the network. You'll also be able to specify whether DNS and Active Directory should be integrated fully. In most cases, you should respond affirmatively to both requests. With full integration, DNS information is stored directly in Active Directory. This allows you to take advantage of the capabilities of Active Directory. The difference between partial integration and full integration is very important:

  • Partial integration With partial integration, the domain uses standard file storage. DNS information is stored in text-based files that end with the .DNS extension, and the default location of these files is %SystemRoot%\System32\ Dns. Updates to DNS are handled through a single authoritative DNS server. This server is designated as the primary DNS server for the particular domain or area within a domain called a zone. Clients that use dynamic DNS updates through DHCP must be configured to use the primary DNS server in the zone. If they aren't, their DNS information won't be updated. Likewise, dynamic updates through DHCP can't be made if the primary DNS server is offline.

  • Full integration With full integration, the domain uses directory-integrated storage. DNS information is stored directly in Active Directory and is available through the container for the dnsZone object. Because the information is part of Active Directory, any domain controller can access the data and a multimaster approach can be used for dynamic updates through DHCP. This allows any domain controller running the DNS Server service to handle dynamic updates. Further clients that use dynamic DNS updates through DHCP can use any DNS server within the zone. An added benefit of directory integration is the ability to use directory security to control access to DNS information.

When you look at the way DNS information is replicated throughout the network, you also see advantages to full integration with Active Directory. With partial integration, DNS information is stored and replicated separately from Active Directory. By having two separate structures, you reduce the effectiveness of both DNS and Active Directory and make administration more complex. Because DNS is less efficient than Active Directory at replicating changes, you may also increase network traffic and the amount of time it takes to replicate DNS changes throughout the network.

Enabling DNS on the Network

To enable DNS on the network, you need to configure DNS clients and servers. When you configure DNS clients, you tell the clients the IP addresses of DNS servers on the network. Using these addresses, clients can communicate with DNS servers anywhere on the network, even if the servers are on different subnets. When the network uses DHCP, you should configure DHCP to work with DNS. To do this, you need to set the DHCP scope options 006 DNS Servers and 015 DNS Domain Name as specified in the section of Chapter 17 entitled "Setting Scope Options."

Additionally, if computers on the network need to be accessible from other Active Directory domains, you need to create records for them in DNS. DNS records are organized into zones, where a zone is simply an area within a domain.

Note: Configuring a DNS client is explained in the section of Chapter 15 entitled "Configuring DNS Resolution." Configuring a DNS server is explained in the following section of this chapter.

Installing DNS Servers

You can configure any Microsoft Windows 2000 server as a DNS server. Four types of DNS servers are available:

  • Active Directory-integrated primary A DNS server that is fully integrated with Active Directory. All DNS data is stored directly in the Directory.

  • Primary server The main DNS server for a domain that uses partial integration with Active Directory. This server stores a master copy of DNS records and the domain's configuration files. These files are stored as text with the .DNS extension.

  • Secondary server A DNS server that provides backup services for the domain. This server stores a copy of DNS records obtained from a primary server and relies on zone transfers for updates. Secondary servers obtain their DNS information from a primary server when they're started, and they maintain this information until the information is refreshed or expired.

  • Forwarding-only server A server that caches DNS information after lookups and that always passes requests to other servers. These servers maintain DNS information until it's refreshed or expired or until the server is restarted. Unlike secondary servers, forwarding-only servers don't request full copies of a zone's database files. This means that when you start a forwarding-only server, its database contains no information.

Before you configure a DNS server, you must install the DNS Server service. Afterward, you can configure the server to provide integrated, primary, secondary, or forwarding-only DNS services.

Installing the DNS Server Service

All domain controllers can act as DNS servers, and you may be prompted to install and configure DNS during installation of the domain controller. If you responded affirmatively to the prompts, DNS is already installed and the default configuration is set automatically. You don't need to reinstall.

If you're working with a member server instead of a domain controller or if you haven't installed DNS, complete the following steps to install DNS:

  1. Click Start, choose Settings, and then click Control Panel.

  2. In Control Panel, double-click Add/Remove Programs, and then click Add/Remove Windows Components. This changes the view in the Add/Remove Programs dialog box.

  3. Click Components to start the Windows Components Wizard, and then click Next.

  4. Under Components, click Networking Services, and then click Details.

  5. Under Subcomponents Of Networking Services, select the Domain Name System (DNS) check box.

  6. Click OK, and then click Next. If prompted, type the full path to the Windows 2000 distribution files and click Continue.

From now on, Windows Internet Name Service (WINS) should start automatically each time you reboot the server. If it doesn't start, you'll need to start it manually. See the section of this chapter entitled "Starting and Stopping a DNS Server."

Configuring a Primary DNS Server

Every domain should have a primary DNS server. This server can be integrated with Active Directory or it can act as a standard primary server. Primary servers should have forward lookup zones and reverse lookup zones. Forward lookups are used to resolve domain names to IP addresses. Reverse lookups are needed to authenticate DNS requests by resolving IP addresses to domain names or hosts.

Once you install the DNS Server service on the server, you can configure a primary server by completing the following steps:

  1. Start the DNS console. Click the Start menu, choose Programs, choose Administrative Tools (Common), and then select DNS. This displays the DNS console shown in Figure 19-1.

    If the server you want to configure isn't listed in the tree view, you'll need to connect to the server. Right-click DNS in the tree view and then choose Connect To Computer. Now do one of the following:

    • If you're trying to connect to a local server, select This Computer and then click OK.

    • If you're trying to connect to a remote server, select The Following Computer and then type the server's name or IP address. Then click OK.

  2. An entry for the DNS server should be listed in the tree view window of the DNS console. Right-click the server entry and then from the pop-up menu, choose New Zone. This starts the New Zone Wizard. Click Next.

    Figure 19-1: You use the DNS console to manage DNS servers on the network. An alternative to the DNS console is to use the Services And Applications node in Computer Management. Access the node and then click DNS.

    Figure 19-1: You use the DNS console to manage DNS servers on the network. An alternative to the DNS console is to use the Services And Applications node in Computer Management. Access the node and then click DNS.

  3. As Figure 19-2 shows, you can now select the zone type. If you're configuring a primary server integrated with Active Directory, select Active Directory-Integrated and then click Next. Otherwise, choose Standard Primary and then click Next.

  4. Select Forward Lookup Zone, and then click Next.

  5. Enter the full DNS name for the zone. The zone name should help determine how the server or zone fits into the DNS domain hierarchy. For example, if you're creating the primary server for the microsoft.com domain, you should type microsoft.com as the zone name.

  6. If you're configuring a standard primary zone, you need to set the zone file name. A default name for the zone's DNS database file should be filled in for you. You can use this name or type a new file name.

  7. Click Next, and then click Finish to complete the process. The new zone is added to the server and basic DNS records are created automatically.

  8. A single DNS server can provide services for multiple domains. If you have multiple parent domains, such as microsoft.com and msn.com, you can repeat this process to configure other forward lookup zones. You also need to configure reverse lookup zones. Follow the steps listed in the section of this chapter entitled "Configuring Reverse Lookups."

    Figure 19-2: In the New Zone Wizard, select Active Directory-Integrated or Standard Primary for the zone type.

    Figure 19-2: In the New Zone Wizard, select Active Directory-Integrated or Standard Primary for the zone type.

  9. You need to create additional records for any computers that should be accessible to other DNS domains. Follow the steps listed in the section of this chapter entitled "Managing DNS Records."

Configuring a Secondary DNS Server

Secondary servers provide backup DNS services on the network. If you're using full Active Directory integration, you don't really need to configure secondaries. Instead, you should configure multiple domain controllers to handle DNS services. On the other hand, if you're using partial integration, you may want to configure secondaries to lessen the load on the primary server. On a small-sized or medium-sized network, you may be able to use your Internet service provider's (ISP) name servers as secondaries, and in this case you should contact your Internet service provider to configure secondary DNS services for you.

Since secondary servers use forward lookup zones for most types of queries, reverse lookup zones may not be needed. But reverse lookup zone files are essential for primary servers, and they must be configured for proper domain name resolution.

If you want to set up your own secondaries for backup services and load balancing, follow these steps:

  1. Start the DNS console and connect to the server you want to configure as described previously.

  2. Right-click the server entry, and then from the pop-up menu, choose New Zone. This starts the New Zone Wizard. Click Next.

  3. In the Zone Type dialog box, select Standard Secondary. Click Next.

  4. Secondary servers can use both forward and reverse lookup zone files. You'll create the forward lookup zone first, so select Forward Lookup Zone and then click Next.

  5. Enter a name for the zone file and then click Next.

  6. Secondary servers should copy zone files from primary servers. Type the IP address for the primary server for the zone, and then click Add. If you want to copy data from other zones, type the IP address of additional servers.

  7. Click Next and then click Finish.

  8. On a busy or large network, you may need to configure reverse lookup zones on secondaries. If so, follow the steps listed in the following section of this chapter, "Configuring Reverse Lookups."

Configuring Reverse Lookups

Forward lookups are used to resolve domain names to IP addresses. Reverse lookups are used to resolve IP addresses to domain names. Each segment on your network should have a reverse lookup zone. For example, if you have the subnets 192.168.10.0, 192.168.11.0, and 192.168.12.0, you should have three reverse lookup zones.

The standard naming convention for reverse lookup zones is to type the network ID in reverse order and then use the suffix in-addr.arpa. With the previous example, you'd have reverse lookup zones named 10.168.192.in-addr.arpa, 11.168.192.in-addr.arpa, and 12.168.192.in-addr.arpa. Records in the reverse lookup zone must be in sync with the forward lookup zone. If the zones get out of sync, authentication may fail for the domain.

You create reverse lookup zones by doing the following:

  1. Start the DNS console and connect to the server you want to configure as described previously.

  2. Right-click the server entry, and then from the pop-up menu, choose New Zone. This starts the New Zone Wizard. Click Next.

  3. Select Active Directory-Integrated, Standard Primary, or Standard Secondary based on the type of server you're working with.

  4. Select Reverse Lookup Zone. Click Next.

  5. Type the network ID and subnet mask for the reverse lookup zone. The values you enter set the default name for the reverse lookup zone.

    Tip If you have multiple subnets on the same network, such as 192.168.10 and 192.168.11, enter only the network portion for the zone name. That is, you would use 168.192.in-addr.arpa and allow the DNS console to create the necessary subnet zones when needed.

  6. If you're configuring a standard primary or secondary server, you need to set the zone file name. A default name for the zone's DNS database file should be filled in for you. You can use this name or type a new file name.

  7. If you're configuring a secondary server, type the IP address for the primary server for the zone and then click Add. If you want to copy data from other zones, type the IP address of additional servers.

  8. Click Next, and then click Finish.

Once you set up the reverse lookup zones, you need to ensure that delegation for the zone is handled properly. Contact the Information Services department or your Internet service provider to ensure that the zones are registered with the parent domain.

Managing DNS Servers

The DNS console is the tool you'll use to manage local and remote DNS servers. As shown in Figure 19-3, the main window of the DNS console is divided into two panes. The left pane allows you to access DNS servers and their zones. The right pane shows the details for the currently selected item. You can work with the DNS console in several ways:

  • Double-click an entry in the left pane to expand the list of files for the entry.

    Figure 19-3: You manage domains and subnets through the Forward Lookup Zones and Reverse Lookup Zones folders.

    Figure 19-3: You manage domains and subnets through the Forward Lookup Zones and Reverse Lookup Zones folders.

  • Select an entry in the left pane to display details such as zone status and domain records in the right pane.

  • Right-click an entry to display a context menu with available options.

The Forward Lookup Zones and Reverse Lookup Zones folders provide access to the domains and subnets configured for use on this server. When you select domain or subnet folders in the left pane, you can manage DNS records for the domain or subnet.

Adding Remote Servers to the DNS Console

You can manage servers running DNS from the DNS console by doing the following steps:

  1. Right-click DNS in the console tree, and then select Connect To Computer. This opens the dialog box shown in Figure 19-4.

  2. If you're trying to connect to the local computer, select This Computer. Otherwise, select The Following Computer and then type the IP address or fully qualified host name of the remote computer to which you want to connect.

  3. Click OK. Windows 2000 attempts to contact the server, and if it does, it adds the server to the console."

Note: If a server is offline or otherwise inaccessible due to security restrictions or problems with the remote procedure call (RPC) service, the connection will fail. You can still add the server to the console by clicking Yes when prompted.

Figure 19-4: Connect to a local or remote server through the Select Target Computer dialog box.

Figure 19-4: Connect to a local or remote server through the Select Target Computer dialog box.

Removing a Server from the DNS Console

In the DNS console, you can delete a server by selecting its entry and then pressing Del. When prompted, click OK to confirm the deletion. Deleting a server only removes it from the Server List. It doesn't actually delete the server.

Starting and Stopping a DNS Server

To manage DNS servers, you use the DNS Server service. You can start, stop, pause, and resume the DNS Server service in the Services node of Computer Management or from the command line. You can also manage the DNS Server service in the DNS console. Right-click the server you want to manage in the DNS console, choose All Tasks and then select Start, Stop, Pause, Resume, or Restart, as appropriate.

Note: In Computer Management, right-click DNS, choose All Tasks, and then select Start, Stop, Pause, Resume, or Restart, as appropriate.

Creating Child Domains Within Zones

Using the DNS console, you can create child domains within a zone. For example, if you created the primary zone microsoft.com, you could create hr.microsoft.com and mis.microsoft.com subdomains for the zone. You create child domains by completing the following steps:

  1. In the DNS console, expand the Forward Lookup Zones folder for the server you want to work with.

  2. Right-click the parent domain entry, and then from the pop-up menu, select New Domain.

  3. Enter the name of the new domain, and then click OK. For hr.microsoft.com, you would enter hr. For mis.microsoft.com, you would enter mis.

Creating Child Domains in Separate Zones

As your organization grows, you may want to organize the DNS name space into separate zones. At the corporate headquarters you could have a zone for the parent domain microsoft.com. At branch offices you could have zones for each office, such as memphis.microsoft.com, newyork.microsoft.com, and la.microsoft.com.

You create child domains in separate zones by completing the following steps:

  1. Install a DNS server in each child domain, and then create the necessary forward and reverse lookup zones for the child domain as described in the section of this chapter entitled "Installing DNS Servers."

  2. On the authoritative DNS server for the parent domain, you delegate authority to each child domain. Delegating authority allows the child domain to resolve and respond to DNS queries from computers inside and outside the local subnet.

You delegate authority to a child domain by completing the following steps:

  1. In the DNS console, expand the Forward Lookup Zones folder for the server you want to work with.

  2. Right-click the parent domain entry, and then from the pop-up menu, select New Delegation. This starts the New Delegation Wizard.

  3. As shown in Figure 19-5, type the name of the child domain and then click Next. The name you enter updates the value in the Fully Qualified Domain Name field.

    Figure 19-5: Entering the name of the child domain sets the fully qualified domain name.

    Figure 19-5: Entering the name of the child domain sets the fully qualified domain name.

  4. Click Add. This displays the dialog box shown in Figure 19-6.

  5. In the Server Name field, type the fully qualified host name of a DNS server for the child domain.

  6. In the IP Address field, type the primary IP address for the server. Click Add. Repeat this process to specify additional IP addresses for the server. The order of the entries determines which IP address is used first. Change the order as necessary using the Up and Down buttons.

    Tip If you know the name of a server rather than its IP address, type the name in the Server Name field, and then click Resolve. The IP address is then entered in the IP Address field, if possible. Add the server by clicking Add.

  7. Click OK, and then repeat steps 3–5 to specify other authoritative DNS servers for the child domain.

  8. Click Next, and then click Finish to complete the process.

    Figure 19-6: Type the fully qualified name of a DNS server for the child domain and then type the IP address(es) for the server.

    Figure 19-6: Type the fully qualified name of a DNS server for the child domain and then type the IP address(es) for the server.

Deleting a Domain or Subnet

Deleting a domain or subnet permanently removes it from the DNS server. To delete a domain or subnet, follow these steps:

  1. In the DNS console, right-click the domain or subnet entry.

  2. From the pop-up menu, select Delete, and then confirm the action by clicking OK.

Note: Deleting a domain or subnet deletes all DNS records in a zone file but doesn't actually delete the zone file on a standard primary or standard secondary server. You'll find that the actual zone file remains in the %SystemRoot%/System32/Dns directory. You can delete this file if you like.

Managing DNS Records

After you create the necessary zone files, you can add records to the zones. Computers that need to be accessed from Active Directory and DNS domains must have DNS records. Although there are many different types of DNS records, most of these record types aren't commonly used. So rather than focus on record types you probably won't use, let's focus on the ones you will use:

  • A (address) Maps a host name to an IP address. When a computer has multiple adapter cards or IP addresses, or both, it should have multiple address records.

  • CNAME (canonical name) Sets an alias for a host name. For example, using this record, zeta.microsoft.com can have an alias as www.microsoft.com.

  • MX (mail exchange) Specifies a mail exchange server for the domain, which allows mail to be delivered to the correct mail servers in the domain.

  • NS (name server) Specifies a name server for the domain, which allows DNS lookups within various zones. Each primary and secondary name server should be declared through this record.

  • PTR (pointer) Creates a pointer that maps an IP address to a host name for reverse lookups.

  • SOA (start of authority) Declares the host that's the most authoritative for the zone and, as such, is the best source of DNS information for the zone. Each zone file must have an SOA record (which is created automatically when you add a zone).

Adding Address and Pointer Records

The A record maps a host name to an IP address and the PTR record creates a pointer to the host for reverse lookups. You can create address and pointer records at the same time or separately.

You create a new host entry with A and PTR records by doing the following:

  1. In the DNS console, expand the Forward Lookup Zones folder for the server you want to work with.

  2. Right-click the domain you want to update, and then from the pop-up menu, choose New Host. This opens the dialog box shown in Figure 19-7.

    Figure 19-7: Create A records and PTR records simultaneously with the New Host option.

    Figure 19-7: Create A records and PTR records simultaneously with the New Host option.

  3. Type the single-part computer name and IP address.

  4. Select the Create Associated Pointer (PTR) Record check box.

  5. Click OK.

    Note: You can only create PTR records if the corresponding reverse lookup zone is available. You can create this file by following the steps listed in the section of this chapter entitled "Configuring Reverse Lookups."

  6. Click Add Host. Repeat as necessary to add other hosts.

  7. Click Done when you're finished.

Adding a PTR Record Later

If you need to add a PTR record later, you can do so by completing the following steps:

  1. In the DNS console, expand the Reverse Lookup Zones folder for the server you want to work with.

  2. Right-click the subnet you want to update, and then from the pop-up menu, choose New Pointer. This opens the dialog box shown in Figure 19-8.

    Figure 19-8: You can add PTR records later, if necessary, with the New Resource Record dialog box.

    Figure 19-8: You can add PTR records later, if necessary, with the New Resource Record dialog box.

  3. Type the host IP number, and then type the fully qualified domain name of the computer, such as 10.10.1.14 and beanie.microsoft.com. Click OK.

Adding DNS Aliases with CNAME

You specify host aliases using CNAME records. Aliases allow a single host computer to appear to be multiple host computers. For example, the host gamma.microsoft.com can be made to appear as www.microsoft.com and ftp.microsoft.com.

To create a CNAME record, follow these steps:

  1. In the DNS console, expand the Forward Lookup Zones folder for the server you want to work with.

  2. Right-click the domain you want to update and then from the pop-up menu, choose New Alias. This opens the dialog box shown in Figure 19-9.

  3. Type the alias in the Alias Name field. The alias is a single-part host name, such as www or ftp.

  4. In the Fully Qualified Name For Target Host Field, type the full host name of the computer for which the alias is to be used.

  5. Click OK.

    Figure 19-9: When you create the CNAME record, be sure to use the single-part host name and then the fully qualified host name.

    Figure 19-9: When you create the CNAME record, be sure to use the single-part host name and then the fully qualified host name.

Adding Mail Exchange Servers

MX records identify mail exchange servers for the domain. These servers are responsible for processing or forwarding mail within the domain. When you create an MX record, you must specify a preference number for the mail server. A preference number is a value from 0 to 65,535 that denotes the mail server's priority within the domain. The mail server with the lowest preference number has the highest priority and is the first to receive mail. If mail delivery fails, the mail server with the next lowest preference number is tried.

You create a MX record by doing the following:

  1. In the DNS console, expand the Forward Lookup Zones folder for the server you want to work with.

  2. Right-click the domain you want to update, and then from the pop-up menu, choose New Mail Exchanger. This opens the dialog box shown in Figure 19-10.

    You can now create a record for the mail server by filling in these fields:

    • Host Or Domain Enter the optional host name.

    • Mail Server Enter the fully qualified host name.

    • Mail Server Priority Enter a preference number for the host from 0 to 65,535.

    Figure 19-10: Mail servers with the lowest preference number have the highest priority.

    Figure 19-10: Mail servers with the lowest preference number have the highest priority.

    Tip Assign preference numbers that leave room for growth. For example, use 10 for your highest priority mail server, 20 for the next, and 30 for the one after that.

  3. Click OK.

Adding Name Servers

Name Server records specify the name servers for the domain. Each primary and secondary name server should be declared through this record. If you obtain secondary name services from an Internet service provider, be sure to insert the appropriate Name Server records.

You create a Name Server record by doing the following:

  1. In the DNS console, expand the Forward Lookup Zones folder for the server you want to work with.

  2. Display the DNS records for the domain by selecting the domain folder in the tree view.

  3. Right-click an existing Name Server record in the view pane, and then select Properties. This opens the Properties dialog box for the domain with the Name Servers tab selected, as shown in Figure 19-11.

  4. Click Add.

  5. In the Server Name field, type the fully qualified host name of the DNS server you're adding.

    Figure 19-11: Configure name servers for the domain through the domain's Properties dialog box.

    Figure 19-11: Configure name servers for the domain through the domain's Properties dialog box.

  6. In the IP Address field, type the primary IP address for the server. Click Add. Repeat this process to specify additional IP addresses for the server. The order of the entries determines which IP address is used first. Change the order as necessary using the Up and Down buttons.

  7. Click OK. Repeat steps 5–7 to specify other DNS servers for the domain.

Viewing and Updating DNS Records

To view or update DNS records, follow these steps:

  1. Double-click the zone you want to work with. Records for the zone should be displayed in the right pane.

  2. Double-click the DNS record you want to view or update. This opens the record's Properties dialog box. Make the necessary changes and click OK.

Updating Zone Properties and the SOA Record

Each zone has separate properties that you can configure. These properties set general zone parameters by using the start of authority (SOA) record, change notification, and WINS integration. In the DNS console, you set zone properties by doing the following:

  1. Right-click the zone you want to update, and then from the pop-up menu, choose Properties.

  2. Select the zone, and then from the Action menu, choose Properties.

Properties dialog boxes for forward and reverse lookup zones are identical except for the WINS and WINS-R tabs. In forward lookup zones, you use the WINS tab to configure lookups for NetBIOS computer names. In reverse lookup zones, you use the WINS-R tab to configure reverse lookups for NetBIOS computer names.

Modifying the Start Of Authority Record

A start of authority (SOA) record designates the authoritative name server for a zone and sets general zone properties, such as retry and refresh intervals. You can modify this information by doing the following:

  1. In the DNS console, right-click the zone you want to update and then from the pop-up menu, choose Properties.

  2. Click the Start Of Authority (SOA) tab, and then update the fields shown in Figure 19-12.

You use the fields of the Start Of Authority (SOA) tab as follows:

  • Serial Number A serial number that indicates the version of the DNS database files. The number is updated automatically whenever you make changes to zone files. You can also update the number manually. Secondary servers use this number to determine if the zone's DNS records have changed. If the primary server's serial number is larger than the secondary server's serial number, the records have changed and the secondary server can request the DNS records have changed and the secondary server can request the DNS records for the zone. You can also configure DNS to notify secondary servers of changes (which may speed up the update process).

    Figure 19-12: Use the zone's Properties dialog box to set general properties for the zone and to update the SOA record.

    Figure 19-12: Use the zone's Properties dialog box to set general properties for the zone and to update the SOA record.

  • Primary Server The fully qualified domain name for the name server, followed by a period. The period is used to terminate the name and ensure that the domain information isn't appended to the entry.

  • Responsible Person The e-mail address of the person in charge of the domain. The default entry is administrator followed by a period, meaning administrator@your_domain. If you change this entry, substitute a period in place of the at (@) symbol in the e-mail address and terminate the address with a period.

  • Refresh Interval The interval at which a secondary server checks for zone updates. If it's set to 60 minutes, NS record changes may not get propagated to a secondary server for up to an hour. You reduce network traffic by increasing this value.

  • Retry Interval The time the secondary server waits after a failure to download the zone database. If it's set to 10 minutes and a zone database transfer fails, the secondary server will wait 10 minutes before requesting the zone database once more.

  • Expires After The period of time for which zone information is valid on the secondary server. If the secondary server can't download data from a primary server within this period, the secondary server lets the data in its cache expire and stops responding to DNS queries. Setting Expires After to seven days allows the data on a secondary server to be valid for seven days.

  • Minimum (Default) TTL The minimum time-to-live value for cached records on a secondary server. The value is set in the format Days : Hours : Minutes : Seconds. When this value is reached, the secondary server expires the associated record and discards it. The next request for the record will need to be sent to the primary server for resolution. Set the minimum TTL to a relatively high value, such as 24 hours, to reduce traffic on the network and increase efficiency. However, keep in mind that a higher value slows down the propagation of updates through the Internet.

  • TTL For This Record The time-to-live value for this SOA record itself. The value is set in the format Days : Hours : Minutes : Seconds and generally should be the same as the minimum TTL for all records.

Notifying Secondaries of Changes

You set properties for a zone with its start of authority record. These properties control how DNS information is propagated on the network. You can also specify that the primary server should notify secondary name servers when changes are made to the zone database. To do this, follow these steps:

  1. In the DNS console, right-click the domain or subnet you want to update and then from the pop-up menu, choose Properties.

  2. On the Zone Transfers tab, click Notify. This displays the dialog box shown in Figure 19-13.

    Figure 19-13: You can notify all secondaries listed on the Name Servers tab or specific servers that you designate.

    Figure 19-13: You can notify all secondaries listed on the Name Servers tab or specific servers that you designate.

  3. By default, all secondary servers listed on the Name Servers tab are notified of changes. If you want to designate specific servers to notify, select The Following Servers, and then type the IP addresses of secondary servers to notify. Click OK.

Restricting Zone Transfers

Restricting access to zone information is a security precaution you may want to consider using on your network. When you restrict access to zone information, only servers that you've identified can request updates from the zone's primary server. This allows you to funnel requests through a select group of secondary servers, such as your Internet service provider's secondary name servers, and to hide the details of your internal network from the outside world.

To restrict access to the primary zone database, follow these steps:

  1. In the DNS console, right-click the domain or subnet you want to update and then from the pop-up menu, choose Properties.

  2. Click the Zone Transfers tab. Zone transfers send a copy of zone information to other DNS servers. These servers can be in the same domain or in other domains. By default, zone information is transferred to any server that requests it.

  3. To restrict transfers to name servers listed on the Name Servers tab, select Allow Zone Transfers and then click Only To Servers Listed On The Name Servers Tab.

  4. To restrict transfers to designated servers, select Allow Zone Transfers and then click Only To The Following Servers. Afterward, type the IP addresses for the servers that should receive zone transfers. Click OK.

Setting the Zone Type

When you create zones, they are designated as Active Directory-integrated, standard primary, or standard secondary. You can change the type at any time by completing the following steps:

  1. In the DNS console, right-click the domain or subnet you want to update and then from the pop-up menu, choose Properties.

  2. On the General tab, click Change. In the Change Zone Type dialog box, select the new type for the zone.

Enabling and Disabling Dynamic Updates

Dynamic updates allow DNS clients to register and maintain their own address and pointer records. This is useful for computers dynamically configured through DHCP. By enabling dynamic updates, you make it easier for dynamically configured computers to locate each other on the network. When a zone is integrated with Active Directory, you have the option of requiring secure updates. With secure updates, you use access control lists to control which computers and users can dynamically update DNS.

You can enable and disable dynamic updates by completing the following steps:

  1. In the DNS console, right-click the domain or subnet you want to update and then from the pop-up menu, choose Properties.

    Use the following options of the Allow Dynamic Updates selection list to enable or disable dynamic updates:

    • No Disable dynamic updates.

    • Yes Enable dynamic updates.

    • Only Secure Updates Enable dynamic updates with Active Directory security. This is available only with Active Directory integration.

  2. Click OK.

Note: DNS integration settings must also be configured for DHCP. See the section of Chapter 17 entitled "Integrating DHCP and DNS."

Managing DNS Server Configuration and Security

You use the Server Properties dialog box to manage the general configuration of DNS servers. Through it, you can enable and disable IP addresses for the server and control access to DNS servers outside the organization. You can also configure monitoring, logging, and advanced options.

Enabling and Disabling IP Addresses for a DNS Server

By default, multihomed DNS servers respond to DNS requests on all available network adapters and the IP addresses they're configured to use.

Through the DNS console, you can specify that the server can only answer requests on specific IP addresses. To do this, follow these steps:

  1. In the DNS console, right-click the server you want to configure and then from the pop-up menu, choose Properties.

  2. In the Interfaces tab, shown in Figure 19-14, select Only The Following IP Addresses and then type the IP addresses that should respond to DNS requests. Only these IP addresses will be used for DNS. All other IP addresses on the server will be disabled for DNS.

Controlling Access to DNS Servers Outside the Organization

Restricting access to zone information allows you to specify which internal and external servers can access the primary server. For external servers, this controls which servers can get in from the outside world. You can also control which DNS

Figure 19-14: Use the Interfaces tab to set the IP addresses that should handle DNS requests and responses.

Figure 19-14: Use the Interfaces tab to set the IP addresses that should handle DNS requests and responses.

servers within your organization can access servers outside it. To do this, you need to set up DNS forwarding within the domain.

With DNS forwarding, you configure DNS servers within the domain as

  • Nonforwarders Servers that must pass DNS queries they can't resolve on to designated forwarding servers. These servers essentially act like DNS clients to their forwarding servers.

  • Forwarding-only Servers that can only cache responses and pass requests on to forwarders. This is also known as a caching-only DNS server.

  • Forwarders Servers that receive requests from nonforwarders and forwarding-only servers. Forwarders use normal DNS communication methods to resolve queries and to send responses back to other DNS servers.

Note: The root server for a domain can't be configured for forwarding. But all other servers can be configured for forwarding.

Creating Nonforwarding DNS Servers

To create a nonforwarding DNS server, follow these steps:

  1. In the DNS console, right-click the server you want to configure and then from the pop-up menu, choose Properties.

  2. In the Forwarders tab, select Enable Forwarders.

  3. Enter the IP addresses of the network's forwarders.

  4. Set the Forward Time Out. This value controls how long the server tries to query the server if it gets no response. When the Forward Time Out interval passes, the server tries the next forwarder on the list. The default is 0 seconds. Click OK.

Creating Forwarding-Only Servers

To create a forwarding-only server, follow these steps:

  1. In the DNS console, right-click the server you want to configure and then from the pop-up menu, choose Properties.

  2. In the Forwarders tab, select Enable Forwarders and then select Operate As Slave Server.

  3. Enter the IP addresses of the network's forwarders.

  4. Set the Forward Time Out. This value controls how long the server tries to query the server if it gets no response. When the Forward Time Out interval passes, the server tries the next forwarder on the list. The default is 0 seconds. Click OK.

Creating Forwarders Servers

Any DNS server that isn't designated as a nonforwarder or a forwarding-only server will act as a forwarder. Thus, on the network's designated forwarders, you should make sure that Enable Forwarders and Operate As Slave Server are not selected.

Logging DNS Activity

You normally use the DNS Server event log to track DNS activity on a server. This log records all applicable DNS events and is accessible through the Event View node in Computer Management. If you're trying to troubleshoot DNS problems, it's sometimes useful to configure a temporary debug log to track certain types of DNS events. To do this, follow these steps:

  1. In the DNS console, right-click the server you want to configure and then from the pop-up menu, choose Properties.

  2. In the Logging tab, shown in Figure 19-15, select the events you want to track temporarily. These events are logged in %SystemRoot%\System32\Dns\ Dns.log by default.

  3. Click OK. When you're finished debugging, turn off logging by clearing any of the selected check boxes in the Logging tab.

Monitoring DNS Server

Windows 2000 has built-in functionality for monitoring DNS server. You can configure monitoring to occur manually or automatically by completing the following steps:

  1. In the DNS console, right-click the server you want to configure and then from the pop-up menu, choose Properties.

  2. Select the Monitoring tab, shown in Figure 19-16. You can perform two types of tests. To test DNS resolution on the current server, select A Simple Query Against This DNS Server. To test DNS resolution in the domain, select A Recursive Query To Other DNS Servers.

    Figure 19-15: Select the events you want to log, and then click OK. Don't forget to clear these events after you've finished debugging.

    Figure 19-15: Select the events you want to log, and then click OK. Don't forget to clear these events after you've finished debugging.

  3. You can perform a manual test by clicking Test Now or schedule the server for automatic monitoring by selecting Perform Automatic Testing At The Following Interval and then setting a time interval in seconds, minutes, or hours.

    Figure 19-16: You can configure a DNS server for manual or automatic monitoring. Monitoring is useful to ensure that DNS resolution is configured properly.

    Figure 19-16: You can configure a DNS server for manual or automatic monitoring. Monitoring is useful to ensure that DNS resolution is configured properly.

    Real World If you're actively troubleshooting a DNS problem, you may want to configure testing to occur every 10–15 seconds. This will provide a rapid succession of test results. If you're monitoring DNS for problems as part of your daily administrative duties, you'll want a longer time interval, such as two or three hours.

  4. The results of testing are shown in the Test Results area. You'll see a date and time stamp indicating when the test was performed and a result, such as Pass or Fail. While a single failure may be the result of a temporary outage, multiple failures normally indicate a DNS resolution problem.

Integrating WINS with DNS

You can integrate DNS with WINS. WINS integration allows the server to act as a WINS server or to forward WINS requests to specific WINS servers. When you configure WINS and DNS to work together, you can configure forward lookups using NetBIOS computer names, reverse lookups using NetBIOS computer names, caching and time-out values for WINS resolution, and full integration with NetBIOS scopes.

Configuring WINS Lookups in DNS

When you configure WINS lookups in DNS, the leftmost portion of the fully qualified domain name can be resolved using WINS. The procedure works like this: The DNS server looks for an address record for the fully qualified domain name. If a record is found, the server uses the record to resolve the name using only DNS. If a record isn't found, the server extracts the leftmost portion of the name and uses WINS to try to resolve the name (as a NetBIOS computer name). You configure WINS lookups in DNS by doing the following:

  1. In the DNS console, right-click the domain you want to update and then from the pop-up menu, choose Properties.

  2. Click the WINS tab, shown in Figure 19-17.

  3. Select Use WINS Forward Lookup and then type the IP addresses of the network's WINS servers. You must specify at least one WINS server.

  4. If you want to ensure that the WINS record on this server isn't replicated to other DNS servers in zone transfers, select Do Not Replicate This Record. Selecting this option is useful to prevent errors and transfer failures to non-Microsoft DNS servers. Click OK.

Configuring Reverse WINS Lookups in DNS

When you configure reverse WINS lookups in DNS, the IP address of the host can be resolved to a NetBIOS computer name. The procedure works like this: The DNS server looks for a pointer record for the specified IP address. If a record is found, the server uses the record to resolve the fully qualified domain name.

Figure 19-17: Use the WINS tab to configure WINS lookups in DNS.

Figure 19-17: Use the WINS tab to configure WINS lookups in DNS.

If a record isn't found, the server sends a request to WINS, and, if possible, WINS returns the NetBIOS computer name for the IP address and the host domain is appended to this computer name.

You configure reverse WINS lookups in DNS by doing the following:

  1. In the DNS console, right-click the subnet you want to update and then from the pop-up menu, choose Properties.

  2. Click the WINS-R tab, shown in Figure 19-18.

    Figure 19-18: Use the WINS-R tab to configure WINS reverse lookups in DNS.

    Figure 19-18: Use the WINS-R tab to configure WINS reverse lookups in DNS.

  3. Select Use WINS-R Lookup, and then, if you wish, select Do Not Replicate This Record. As with forward lookups, you usually don't want to replicate the WINS-R record to non-Microsoft DNS servers.

  4. In the Domain To Append To Returned Name field, type the host domain information. The domain is appended to the computer name returned by WINS. For example, if you type seattle.domain.com and WINS returns the NetBIOS computer name gamma, the DNS server will combine the two values and return gamma.seattle.domain.com.

  5. Click OK.

Setting Caching and Time-Out Values for WINS in DNS

When you integrate WINS and DNS, you should also set WINS caching and time-out values. The caching value determines how long records returned from WINS are valid. The time-out value determines how long DNS should wait for a response from WINS before timing out and returning an error. These values are set for both forward and reverse WINS lookups.

You set caching and time-out values for WINS in DNS by doing the following:

  1. In the DNS console, right-click the domain or subnet you want to update and then from the pop-up menu, choose Properties.

  2. Select the WINS or WINS-R tab, as appropriate, and then click Advanced. This opens the dialog box shown in Figure 19-19.

  3. Set the caching and time-out values using the Cache Time-Out field and the Lookup Time-Out field. By default, DNS caches WINS records for 15 minutes and times out after 2 seconds. For most networks, you should increase these values. Sixty minutes for caching and three seconds for time-outs may be better choices.

  4. Click OK. Repeat this process for other domains and subnets, as necessary.

    Figure 19-19: In the Advanced dialog box, set caching and time-out values for DNS.

    Figure 19-19: In the Advanced dialog box, set caching and time-out values for DNS.

Configuring Full Integration with NetBIOS Scopes

When you configure full integration, lookups can be resolved using NetBIOS computer names and NetBIOS scopes. Here, a forward lookup works like this: The DNS server looks for an address record for the fully qualified domain name. If it finds a record, the server uses the record to resolve the name using only DNS. If it doesn't find a record, the server extracts the leftmost portion of the name as the NetBIOS computer name and the remainder of the name as the NetBIOS scope. These values are then passed to WINS for resolution.

You configure full integration of WINS and DNS by doing the following:

  1. In the DNS console, right-click the domain or subnet you want to update, and then from the pop-up menu, choose Properties.

  2. Select the WINS or WINS-R tab, as appropriate, and then click Advanced.

  3. In the Advanced dialog box, select Submit DNS Domain As NetBIOS Scope.

  4. Click OK. Repeat this process for other domains and subnets, as necessary.

Before you use this technique, make sure that the NetBIOS scope is properly configured on the network. You should also make sure that a consistent naming scheme is used for all network computers. Because NetBIOS is case-sensitive, queries resolve only if the case matches exactly. Note also that if the domain has subdomains, the subdomains must be delegated the authority for name services in order for WINS and DNS integration to work properly.

Link Click to order