After DNS is installed, it can be managed using the DNS management console. Management tasks include configuring zone settings, creating and managing resource records, and monitoring the status and performance of DNS. The following sections discuss some of the common management tasks associated with DNS. Managing DNS Zone SettingsAfter a zone has been successfully added to your DNS server, you can configure it via the zone's properties dialog box. To do so, right-click the zone from within the DNS management console and click Properties. The Properties dialog box for the zone displays six tabs, as shown in Figure 3.9. If Active Directory is not installed, only five tabs are available (the Security tab is not present). Figure 3.9. You can configure a zone through its Properties dialog box
The following list summarizes each of the tabs for a DNS zone's properties:
Changing Zone TypesUsing the General tab from the Zone Properties dialog box, you can change the current zone type (see Figure 3.10). To do so, click the Change button beside the zone type. You have the option of changing a primary or secondary zone to an Active Directoryintegrated zone or changing an Active Directoryintegrated zone to a primary zone or secondary zone. Figure 3.10. You can change the zone type via a zone's Properties dialog box
Before you attempt to change the zone type, be aware of the following points:
Dynamic UpdatesWindows 2003 Server, Windows XP, and Windows 2000 clients can interact directly with a DNS server. With dynamic updates, clients can automatically register their own resource records with a DNS server and update them as changes occur. Resource records are the entries within the DNS server database files. Each resource record contains information about a specific machine, such as the IP address or specific network services running. The type of information within a resource record depends upon the type of resource record that is created. For example, an A (address) record contains the IP address associated with a specific computer; it's used to map a hostname to an IP address. Dynamic updates greatly reduce the administration associated with maintaining resource records. Dynamic updates eliminate the need for administrators to manually update these records. In terms of DHCP, with a short lease duration configured, the IP address assigned to DNS clients can change frequently. If dynamic updates are not enabled, an administrator can end up spending a lot of time updating zone information. In addition, there is always the chance for human error when done manually. Dynamic updates provide the following advantages:
Exam Alert To implement dynamic updates on a network with preWindows 2000 clients, a DHCP server and a DNS server are required on the network. The DHCP and DNS servers must be running Windows Server 2003 or Windows 2000 because Windows NT 4.0 DNS servers don't support dynamic updates. A DHCP server is required to perform dynamic updates on behalf of clients that do not support this feature, such as Windows 95 clients. By default, any Windows Server 2003, Windows XP, or Windows 2000 client can update its own records with the DNS server. The DHCP client service attempts to update records with the DNS server when any of the following events occur:
Let's take a look at an example of what happens when a Windows XP DNS client performs a dynamic update. Assume that you change a bayside.net work-station's computer name from computer1 to computer2. Upon changing the computer name, you are required to restart before the changes take effect. When the workstation restarts, the following process occurs:
Dynamic updates are configured on a per-zone basis. To configure a zone for dynamic update, right-click the zone within the DNS management console and click Properties. In the Properties dialog box, ensure that the General tab is selected. To enable dynamic updates, select one of the following options:
Exam Alert When configuring dynamic updates, remember that the zone must be standard primary (information is stored locally in files) or Active Directoryintegrated (information is stored on all DCs). Also, to use secure updates, the zone must be Active Directoryintegrated. This feature is not supported by standard primary zones. Secure UpdatesWindows Server 2003 supports secure dynamic updates for zones that store information within Active Directory. With secure updates, only those clients authorized within the domain are permitted to update resource records. This means that the DNS server accepts updates only from clients that have accounts within Active Directory. Any computers that do not have accounts are not permitted to register any records, thereby eliminating the chance that unknown computers will register with the DNS server. Secure updates for a zone can be configured by selecting the Secure Only option. The benefit of selecting this option is obviously an increase in security. The resource records and zone files can be modified only by users who have been authorized to do so. This also provides administrators with a finer granularity of control because they can edit the access control list (ACL) for the zone and specify which users and groups can perform dynamic updates. You edit the ACL for a zone by right-clicking the zone, selecting Properties, and choosing the Security tab. Zone TransfersSecondary servers get their zone information from a master name server. The master name server is the source of the zone file; it can be a primary server or another secondary server. If the master name server is a secondary server, it must first get the updated zone file from the primary server. The process of replicating a zone file to a secondary server is referred to as a zone transfer. Zone transfers occur between a secondary server and a master name server in the following situations:
Windows Server 2003 DNS (as well as Windows 2000 DNS) supports two types of zone transfers. PreWindows 2000 implementations of DNS supported a full zone transfer (AXFR) only, in which the entire zone file is replicated to the secondary server. This type of zone transfer is supported by most implementations of DNS. If the secondary server's zone file is not current, which means that changes were made, the entire zone file is replicated. The second type of zone transfer is known as an incremental zone transfer (IXFR), in which only the changes made to a zone file are replicated to the secondary server, thereby reducing the amount of network traffic. Frequency of zone transfers is configured on the Start of Authority tab. The following list summarizes the configurable options for zone transfers. You can find these options on the SOA tab from the properties window for a zone:
Note When zone information is stored within Active Directory, zone updates are replicated differently than in a standard primary/secondary scenario. DNS notification is no longer needed, and configuring a notify list is unnecessary. Instead, the DNS servers that store information within Active Directory poll Active Directory at 15-minute intervals to check for updates. Zone DelegationDelegation is the process of designating a portion of the DNS namespace for another zone. It gives administrators a way of dividing a namespace among multiple zones. For example, an administrator might place the bayside.net domain in one zone and place the sales.bayside.net subdomain in another delegated zone. The bayside.net zone would contain all the records for the sales subdomain if it is not delegated. Through delegating, the bayside.net zone contains only information for bayside.net, as well as records to the authoritative name servers for the sales.bayside.net zone. The host entries for any machines in sales.bayside.net are contained only on the delegated server. In any case, when deciding whether to delegate, keep the following points in mind:
Note To facilitate the delegation of zones, you need the appropriate delegation records that point to authoritative name servers for the new zone(s). You can use the following procedure to delegate a zone:
Managing DNS Record SettingsAfter resource records have been created, they can be managed through the management console. Tasks associated with resource records include modifying the resource records, deleting existing records, and configuring security. Modifying Resource RecordsIf you have manually created resource records within a zone, at some point you might need to modify them, such as change the IP address associated with a particular hostname. This won't be an issue if you are using dynamic updates because DNS clients (running the appropriate platform) can update this information on their own. You can modify a resource record within the DNS management console by selecting the appropriate zone, right-clicking the resource record, and clicking Properties (see Figure 3.11). For example, you can change the hostname, domain name, and IP address of a Host (A) record. Figure 3.11. You can modify the properties of a resource record through the management console
Deleting Resource RecordsYou can delete resource records within a zone file at any time. For example, if you manually create resource records for a server and remove it from the network, you will want to delete the records from the zone file. Deleting a record is a simple process. Simply right-click the record within the zone and click the Delete option. Click Yes to confirm your actions. Modifying Security for RecordsEach record has an associated ACL that can be edited. Doing so enables you to specify which users and groups are permitted to securely update the record and change their permissions. You can modify the security by opening the Properties window for a record and selecting the Security tab (see Figure 3.12). Figure 3.12. You modify security for a record on its Security tab
Managing DNS Server OptionsMost management tasks performed on a DNS server are done through the DNS management console. When you highlight your DNS server within the DNS management console and click the Action menu, you see a number of options that can be used to manage different aspects of DNS. Some of the options available are summarized as follows:
|