Installing and Configuring the DNS Server ServiceAt one time or another, most of us have typed a universal resource locator (URL) to get to one of our favorite Web sites. Before you can view the Web site stored on a Web server, that URL you typed must be resolved to an IP address, and this is where DNS servers come into play. You might have also heard the term fully qualified domain name ( FQDN ) . An FQDN contains both the hostname and a domain name. It uniquely identifies a host within a DNS hierarchy. For example, www.bayside.net is an FQDN. Every FQDN is broken down into different levels, each separated by a period. In the preceding example, .net is the top-level domain and bayside is the second-level domain. The top-level domain normally identifies the type of organization, such as a government organization (gov) or an educational organization (edu). The second-level domain indicates a specific domain within that top-level namespace, whereas the third level might indicate a specific host within that domain. In all cases, DNS servers are used to resolve FQDNs to IP addresses. DNS can use two different processes to resolve queries: recursive and iterative. With a recursive query , the DNS client requires the DNS server to respond with the IP address of the request or an error message that the requested name does not exist. The DNS server cannot refer the client to another DNS server if it cannot map the request to an IP address. When a DNS server receives a recursive request, it queries other DNS servers until it finds the information or until the query fails. With an iterative query , the DNS server uses zone information and its cache to return the best possible answer to the client. If the DNS server does not have the requested information, it can refer the client to another DNS server. For example, when a DNS client enters www.bayside.net into a browser, the following process occurs:
Now that you have a general idea what happens when a DNS client attempts to connect to another computer using a hostname, let's take a look at the types of roles that can be assigned to Windows Server 2003 DNS. Implementing Windows 2003 DNS Server RolesYou can configure a DNS server in one of three possible roles. The role the server plays depends on the configuration of zone files and how they are maintained . The zone files contain configuration information for the zone as well as the resource records.
The three possible DNS server configuration roles are as follows :
Keep in mind when you are planning DNS server roles that a single DNS server can perform multiple roles. For example, a DNS server can be the primary server for one zone and at the same time be a secondary server for another DNS zone. Caching-only ServerAll DNS servers maintain a cache.dns file that contains a list of all Internet root servers. Any time a DNS server resolves a hostname to an IP address, the information is added to the cache file. The next time a DNS client needs to resolve that hostname, the information can be retrieved from the cache instead of the Internet. Caching-only servers do not contain any zone information, which is the main difference between them and primary and secondary DNS servers. The main purpose of a caching-only server (other than providing name resolution) is to build the cache file as names are resolved. They resolve hostnames, cache the information, and return the results to the client. Because these servers hold no zone information, either hostnames are resolved from the cache or else another DNS server is required to resolve them. Caching-only servers are useful when you need to reduce network traffic. Again, because there is no zone information, no zone transfer traffic is generated (meaning that no information is replicated between DNS servers). Hostname traffic is also reduced as the cache file is built up because names can be resolved locally using the contents of the local DNS server's cache
Primary ServerA primary DNS server hosts the working (writable) copy of a zone file. If you need to make changes to the zone file, it must be done from the server that is designated as the primary server for that zone. For those of you who are familiar with Windows NT 4.0, this is similar to how the primary domain controller (PDC) maintains the working copy of the directory database. After a server has been configured as a primary DNS server for a zone, it is said to be authoritative for that domain. Also, a single DNS server can be the primary DNS server for multiple zones . Secondary ServerA secondary server gets all its zone information from a master DNS server. The secondary DNS server hosts a read-only copy of the zone file, which it gets from the primary server or another secondary DNS server. Through a process known as a zone transfer, the master DNS server sends a copy of the zone file to the secondary server.
For example, if Server2 is configured as a secondary server for bayside.net, Server2 would get all of its zone information from Server1, the primary DNS server for the zone. Any changes that need to be made to the zone file would have to be done on Server1. The changes would then be copied to Server2. As already mentioned, a DNS server can be both a primary and a secondary server at the same time. Using this example, Server2 could also be configured as the primary server for riverside.net, and, to provide fault tolerance for the zone file, Server1 could be configured as a secondary server for this zone. Secondary DNS servers provide the following benefits:
Installing DNSDNS can be installed in several ways. It can be added during the installation of Windows Server 2003, after installation using the Configure Your Server Wizard, or through the Add or Remove Programs applet in the Control Panel. DNS can also be installed when promoting a server to a domain controller using the DCPROMO command. The only real requirement for installing DNS is Windows Server 2003 Server. It cannot be installed on a computer running Windows XP. Also, if you are using Dynamic Host Configuration Protocol (DHCP) on the network to assign IP addresses, it's generally a good idea to configure the DNS server with a static IP address that is outside the range of addresses included in the DHCP scope. To install the DNS Server service using the Add or Remove Programs applet within the Control Panel, perform the following steps:
Configuring DNS Server OptionsWhen DNS is installed, the DNS management console is added to the Administrative Tools menu. From the management console, you can manage all aspects of a DNS server, from configuring zones to performing management tasks . A number of options can be configured for a DNS server. By right-clicking the DNS server within the management console and selecting the Properties option, the Properties window for the server is displayed (see Figure 3.1). Figure 3.1. After installing the DNS service, you can configure DNS server options through the server's Properties dialog box.
The available tabs from the DNS server Properties sheet and their uses are summarized as follows:
Configuring DNS Zone OptionsAfter you have installed the DNS Server service, your next step is to create and configure zones (unless the DNS server is not authoritative for any zones). A zone is basically an administrative entity. A zone is nothing more than a portion of the DNS database that is administered as a single unit. A zone can contain a single domain or span multiple domains. The DNS server that is authoritative for a zone is ultimately responsible for resolving any requests for that particular zone. The zone file maintains all of the configuration information for the zone and contains the resource records for the domains in the zone. Each new zone consists of a forward lookup zone and an optional reverse lookup zone. A forward lookup zone maps hostnames to IP addresses. When a client needs the IP address for a hostname, the information is retrieved from the forward lookup zone. A reverse lookup zone does the opposite . It allows for reverse queries, or mapping of an IP address back to a hostname. Reverse queries are often used when troubleshooting with the NSLookup command. Zone TypesWindows Server 2003 supports four types of zones:
Creating ZonesAfter the DNS service is installed, you can manage it using the DNS management console. From this management console, you can begin configuring a DNS server by creating zones. To create a new zone, follow these steps:
Creating Resource RecordsAfter a zone has been created, it can be populated with resource records. Remember, if your clients are all running Windows Server 2003, Windows XP, or Windows 2000 and the zone is configured for dynamic updates, the clients can add and update their own resource records. You can also manually add resource records to a zone file through the DNS management console. A number of resource records can be created. To view all of the resource records supported by Windows Server 2003 DNS, right-click a zone and select Other New Records (see Figure 3.5). Figure 3.5. The next step in zone creation is populating the zone with DNS resource records.
The following list summarizes some of the more common resource records you might encounter:
As already mentioned, resource records can be created using the DNS management console. To create a new host record, simply right-click the zone in which you want to create the record and select the New Host (A) option. In the New Host dialog box, type the name and IP address for the host. To automatically create a pointer record, select the Create Associated Pointer (PTR) Record check box (see Figure 3.6). Figure 3.6. You can add a new host record via the DNS management console.
To create additional resource records, simply select the type of record you want to create and fill in the required information.
Configuring DNS Simple ForwardingDNS servers often must communicate with DNS servers outside of the local network. A forwarder is an entry that is used when a DNS server receives DNS queries that it cannot resolve locally. It then forwards those requests to external DNS servers for resolution. By configuring forwarders, you can specify which DNS servers are responsible for handling external traffic. Otherwise, all DNS servers can send queries outside of the local network, possibly exposing DNS information to untrusted hosts on the Internet. Configuring forwarding adds another level of security to the network because only servers identified as forwarders are permitted to forward queries outside the local network. Additionally, if all DNS servers were allowed to forward queries outside the network, the result could be a large amount of unnecessary network traffic. This can become an important issue if the Internet connection is slow, costly, or already heavily utilized. Because a forwarder receives queries from local DNS servers, it builds up a large amount of cache information. This means that many of the queries received by the forwarder can be resolved from the cache instead of forwarding the requests outside the local network. This is obviously more efficient in terms of network traffic. When a DNS server configured to use forwarding receives a DNS query from a DNS client, the following process occurs:
A DNS server can be configured to send all queries that it cannot resolve locally to a forwarder, and you can also configure conditional forwarders. With conditional forwarders, DNS servers are configured to forward requests to different servers based on the DNS name within the query. When configuring conditional forwarding, you must specify the following information:
To configure DNS forwarders, follow these steps:
|