To install and start the DNS service on a computer running Windows 2000/.NET Server, use the standard Windows Component Wizard that can be found in the Add/Remove Programs applet in the Control Panel. Select Network Services and click Details. Check the Domain Name System (DNS) box and click OK and then Next.
After the system files have been copied (the Windows 2000/.NET Server installation CD will be required) and the service started, you will see a new DNS snap-in in the Administrative Tools group. The DNS service is now installed on the computer and needs to be configured.
At first, the new DNS server running on a normal server will work as a caching server and will not be authoritative for any zones. Look up the DNS Server log in the Event Viewer to be sure that the service was started successfully. (If you have installed the DNS server on a domain controller, its behavior will be different; see the next sections of this chapter.)
To configure and manage a Microsoft DNS Server, run the DNS command from the Administrative Tools menu. In the DNS snap-in's main window (see Fig. 4.1), you can use a convenient wizard — New Zone Wizard that will help you to create forward and reverse zones.
Fig. 4.1: The DNS snap-in's main window containing a few authoritative zones
When you simultaneously install Active Directory and the DNS service on a server that is the first domain controller in the network, the Active Directory Installation Wizard (DCpromo.exe) automatically creates an authoritative zone for the forest root domain on the DNS server. (If a DNS server already exists, you must first manually create a zone for the new forest and enable dynamic updates of the zone.)
When a child domain in an existing forest is created, the zone of the forest root domain is used, and the wizard itself will create an authoritative zone for that child. (You may change this behavior; see later in this chapter.) However, if you add a tree to a forest, you must manually create an authoritative zone for the new DNS name-space. Therefore, you always need to create the authoritative zones for every new domain tree manually (or new forest), except with simultaneous installation of Active Directory and DNS service on the same server.
The Dcpromo utility does not create any reverse zones on the DNS server. Therefore, to make the DNS server configuration fully operational, it is recommended that you: manually create an appropriate reverse zone (because some utilities and applications use it), enable dynamic updates for it, and re-register the domain controller address with the ipconfig / registerdns command.
Secure updates are only enabled for Active Directory-integrated zones. These zones are available if only the DNS server is installed on a domain controller.
When a text file zone becomes Active Directory-integrated, the appropriate zone file is moved from the %System Root%\system32\dns folder to the nested \backup folder. At the same time, new objects (of dnsZone and dnsNode types) for the zone are created in the Active Directory in the System/MicrosoftDNS container in the domain partition (if zones are stored on domain controllers) or within the appropriate application partition (on a Windows .NET Server). The reverse transformation of a zone (from Active Directory-integrated zone to text file zone) is also possible.
Remember that Windows 2000 does not support application directory partitions. Therefore, to enable a DNS server running on a Windows 2000 DC to replicate Active Directory-integrated zones from a Windows .NET DNS server running on a Windows .NET DC, you must select the appropriate zone replication scope.
By default, the forward forest root domain authoritative zone (that includes the _msdcs subdomain, or node) and the root zone (".") are created as Active Directory-integrated and allow Only secure updates. This means that only authenticated users can update records. Sometimes, the Yes option in the Allow dynamic updates? list appears to be a better choice.
The "." zone, configured by default, makes the DNS server the root server, which prevents clients' queries from being sent — forwarded — to an external DNS name-space, e.g., to the Internet. To enable forwarders, you can just delete the "." zone. By default, the DNS server's IP address is specified on the Root Hints tab in the server's Properties window. If you have deleted the "." zone, make sure the server name has also been deleted from that tab.
The root zone (".") is not created by default on Windows .NET DNS servers. As a result, the DNS server can "natively" resolve DNS queries for external names (e.g., the Internet names) provided that the default gateway has been configured for the server and network connectivity has been established. In that case, root hints are used. To resolve external queries more efficiently, you may specify a DNS server's IP address (e.g., the server of your Internet Service Provider, ISP) on the Forwarders tab in the server's Properties window.
By default, the Dcpromo utility creates two authoritative zones: the forest zone and the domain system zone _msdcs (see Fig. 4.1). Both zones are Active Directory-integrated and allow Only secure updates. The former zone is stored in the Domain DnsZones application partition that is replicated to all DNS servers in the forest root domain. The latter zone is stored in the Forest DnsZones application partition that is replicated to all DNS servers in the entire forest. Therefore, to enable a Windows 2000 DNS server running on a Windows 2000 DC to support these zones, you should change the replication scope of these zones.
You can increase the reliability of your network and install an additional (backup) DNS server. This task will be very simple if all the zones are Active Directory-integrated and the DNS server is installed on a domain controller. In that case, all DNS servers will be peers, and the term "secondary server" is not applicable since the authoritative zone(s) can be updated on any server.
In a Windows 2000 environment, every DC in the domain contains full DNS information. In a Windows .NET environment, you should first enable the DC to store replicas of the appropriate application partitions that hold DNS information. (Otherwise, the new DNS server will act as a simple caching server.) In either case, when you install a new DNS server, it will automatically load zone(s) from Active Directory and you need not create any zones. (For more information on managing application partitions, see the NTDSutil description in Chapter 10, "Diagnosing and Maintaining Domain Controllers.")
If the new DNS server is installed on a normal server, or if Active Directory-integrated zones are not used, you must create the zones manually and maintain the zone transfers. In that case, the new DNS server will act, most likely, as a secondary server, and the zones must be created as secondary.
When an additional DNS server has been installed, you may add the server's IP address to the list of DNS servers on every domain client computer or domain controller.