In most TCP/IP-based networks, name resolution is provided by one or more DNS servers, which are also required for Windows 2000 Server-based networks using Active Directory.
Although Active Directory works with any DNS server that complies with the appropriate standards, such as BIND version 8.2.2 or later, the DNS server provided with Windows 2000 Server is more than good enough. In fact, unless you already have BIND deployed on the network, you should use Microsoft's DNS server for the network. The DNS server in Windows 2000 Server is easy to set up, integrates well with Active Directory, provides full multimaster zone replication when using Active Directory-integrated zones, and generally works as it's supposed to.
If you're using Active Directory-integrated DNS, you can skip the next section, as DNS is automatically set up during the Active Directory Setup Wizard (see Chapter 11).
To install DNS, set up Active Directory on the server and let Windows install DNS at the same time. This provides domain controller functionality and also lets DNS benefit from Active Directory integration. To set up the server as a domain controller, see Chapter 11.
If DNS wasn't installed on the domain controller when you set up Active Directory, or you don't want to use Active Directory integration with DNS Server, follow these steps to install the DNS service, or use the Configure Your Server Wizard, which is discussed in Chapter 6:
An alternative to using a static IP address is to make a client reservation with the DHCP server so that the DNS server is always guaranteed the same IP address.
Figure 14-12. Installing the DNS service.
Windows 2000 provides a handy wizard to help you set up a DNS server. The following procedure walks you through the wizard, while later sections delve into more detail on individual tasks that the wizard accomplishes:
Figure 14-13. Choosing whether to create a forward lookup zone.
Figure 14-14. Choosing whether to create a primary or secondary forward lookup zone.
Real World
The Need (or Lack Thereof) for Secondary DNS Servers
Because of the pivotal role DNS plays in any TCP/IP-based network, it's vital for it to be reliable. Small networks can often make do with a single DNS server, but medium and large networks must have fault-tolerant DNS service.
One way of doing this is to set up secondary DNS servers to provide redundancy if the primary DNS server (of which there can be only one) doesn't respond to client queries. Secondary DNS servers can also be useful in reducing network traffic if placed in a location where the zone is heavily queried.
Another way of providing DNS redundancy is to add another Active Directory-integrated DNS server. Because Active Directory uses a full multiple-master model, all DNS servers using Active Directory-integrated zones can be primary servers—no secondary zones are required.
If you are going to use standard primary and secondary DNS servers, set up secondary DNS servers for both forward and reverse lookup zones. Fewer secondary servers are required for reverse lookup zones because of their infrequent use. They are usually placed outside the network and subnet that the reverse zone serves.
Figure 14-15. The Master DNS Servers screen.
Figure 14-16. Creating a reverse lookup zone.
Use the Nslookup command from a command prompt to test the functionality of the DNS server. However, the command's functionality is limited without a reverse lookup zone (you won't be able to perform reverse lookups to obtain DNS names from IP addresses). Consult online help for command reference information.
Real World
DHCP and Secure Dynamic Updates
If multiple DHCP servers are operating in the same DNS zone and you're using secure dynamic updates, you might end up with some stale DNS records if one of the DHCP servers fails. To prevent this, you can use the Active Directory Users and Computers MMC snap-in to add all DHCP servers to the DnsUpdateProxy group, which loosens permissions. Because of these loosened permissions, don't install DHCP on a domain controller in this scenario, unless DNS resource record security is of low importance to you (in which case it's probably easier to use unsecured dynamic updates).
Zones allow you to store portions of the DNS namespace so that a single DNS server can serve a portion of the namespace.
When setting up the domains, start with the top-level domain. Then create subdomains and delegate control of the domains to other DNS servers as necessary.
The two types of zones concerned are forward lookup zones and reverse lookup zones. Forward lookup zones are the types of zones normally associated with DNS servers; they return an IP address when given a DNS name. Reverse lookups are used less often, but they are still important. They provide the ability to resolve an IP address into a DNS name, something that Internet Information Services (IIS) uses for its log files (troubleshooting tools such as Nslookup rely on reverse lookup zones as well).
When you first setup a DNS server, you'll probably want to use the Configure A DNS Server Wizard (discussed in the previous section), which walks you through creating the first forward lookup zone. However, if you didn't use the wizard to set up the zones, or you need to create additional forward lookup zones, use the following procedure:
If you select the Forward Lookup Zone container in the console before choosing New Zone from the Action menu, the New Zone Wizard assumes that you intend to create a forward lookup zone and skips step 6.
Figure 14-17. The Zone Type screen of the New Zone Wizard.
Reverse lookup zones allow clients to resolve a host's DNS name from an IP address, which is useful for troubleshooting tools such as Nslookup. Reverse lookups also permit IIS log files to record DNS names instead of just IP addresses.
To create a new reverse lookup zone, follow these steps:
In most large network environments, you need to create subdomains and delegate their management to other DNS zones hosted by other DNS servers. Doing so eliminates the undesirable situation of having a large namespace hosted in a single zone by a single server. Thus, you might have a zone containing the root domain scribes.com as well as the subdomain marketing.scribes.com; however, you might have the subdomain tech.scribes.com and its subdomains delegated to a separate zone managed by another DNS server, as shown in Figure 14-18.
Figure 14-18. A domain tree with zones identified.
Be sure that you have a host record created for the DNS server in the forward lookup zone and a pointer record for the DNS server in the reverse lookup zone. DNS might not automatically create these (especially the pointer record) so double-check them—otherwise the server might not work.
Zones must have a contiguous namespace, so it isn't possible to combine subdomains from different branches of the namespace and place them in a single zone. Create separate zones for each noncontiguous part of the domain.
To create a new subdomain in an existing zone and then delegate authority over the domain to another DNS server, perform the following steps:
Subdomains don't have to be delegated to a different DNS server. Subdomains can even be created in new zone files and still be managed by the same server. This is useful if you want to host the domains on the same computer, yet manage them differently.
Figure 14-19. Delegating a subdomain.
When you delegate control over a subdomain to multiple DNS servers, Windows 2000 Server automatically monitors the round-trip times to the servers and selects the closest (fastest) one.
Figure 14-20. The Name Servers screen of the New Delegation Wizard.
After creating zones and subdomains, add resource records (RRs) for the domain server and any other servers with static IP addresses or IP reservations (DHCP servers, WINS servers, routers, and so on). The steps that follow are for adding new host RRs, but the process to add new pointer RRs, Alias (CNAME) RRs, mail exchangers, or other RRs is similar (note that the DNS server doesn't work properly without a host record and a pointer record, which might not be created automatically for you):
Figure 14-21. The New Host dialog box.
Real World
Changing DNS Records
When you make a change to the DNS records, make sure you choose the Update Server Data Files command from the Action menu after making the changes. This option increments the serial number, letting other DNS servers know that you made a change and that they need to update their information.
If you're using conventional DNS zones, add or change DNS records only from the primary DNS server for a zone. If you're using Active Directory-integrated DNS, you can make the changes to any Active Directory-based DNS and it propagates correctly to the other Active Directory DNS servers and notifies secondary servers that there are updated records.
Table 14-1. Supported DNS record types
Record Type | Common Name | Function | RFC |
---|---|---|---|
A | Address record | Maps a fully qualified domain name (FQDN) to a 32-bit IPv4 address | 1035 |
AAAA | IPv6 Host | Maps an FQDN to a 128-bit IPv6 address | 1886 |
AFSDB | Andrews file system (AFS) or distributed computing environment (DCE) record | Maps a DNS domain name to a server subtype that is either an AFS version 3 volume or an authenticated name server (NS) using DCE or network computing architecture (NCA) | 1183 |
ATMA | Asynchronous Transfer Mode (ATM) Address | Maps a host name to an ATM address | "ATM Name System Specification Version 1.0" |
CNAME | Canonical name or alias record | Maps a virtual domain name (alias) to a real domain name | 1035 |
HINFO | Host information record | Specifies the CPU and operating system type for the host | 1700 |
ISDN record | ISDN information | Maps an FQDN to an ISDN telephone number | 1183 |
Key | Public key resource record | Contains a public key for a DNS zone | 2535 |
MB | Mailbox name record | Maps a domain mail server name to the actual host name of the mail server | 1035 |
MG | Mail group record | Maps a domain mailing group to the actual mailbox (MB) resource records of its members | 1035 |
MINFO | Mailbox information record | Specifies a mailbox for the person who maintains the mailbox or list, and can also specify a mailbox for related errors | 1035 |
MR | Mailbox renamed record | Maps an old mailbox name to a new mailbox name for forwarding purposes | 1035 |
MX | Mail exchange record | Provides routing information to reach a given mailbox | 974 |
NS | Name server record | Specifies that the name server listed has a zone starting with the owner name | 1035 |
NXT | Next record | Specifies the nonexistence of the specified name | 2035 |
OPT | Option resource record | Specifies optional data with a DNS request or reply | 2671 |
PTR | Pointer resource record | Points to another DNS resource record, most often used in reverse lookup to point to the A record | 1035 |
RP | Responsible person information record | Provides information about the person responsible for a server | 1183 |
RT | Route-through record | Provides routing information for hosts lacking a direct WAN address | 1183 |
SIG | Signature resource record | Digitally signs a host name | 2535 |
SOA | Start of authority | Specifies the beginning of a zone and indicates the authoritative server | 1034 |
SRV | Service locator record | Provides a way of locating multiple servers providing similar TCP/IP services | 2052 |
TXT | Text record | Maps a DNS name to a string of descriptive text | 1035 |
WKS | Well-known services record | Describes the most popular TCP/IP services supported by a protocol on a specific IP address | 1035 |
X25 | X.25 information | Maps a DNS address to a public switched data network (PSDN) address number | 1083 |
More Info
For more information about each of these record types and what they mean, refer to the related RFC or see Microsoft Windows 2000 Server Resource Kit (2001), available from Microsoft Press.Because the DNS service is so important to a modern TCP/IP-based network, and because it's essential to the operation of Active Directory, always configure multiple DNS servers in each zone to provide fault tolerance.
Windows 2000 Server supports several ways of achieving zone transfers between DNS servers managing a zone. If the DNS servers are using Active Directory to store their zone data, Active Directory handles the zone replication, allowing for a full multimaster model in which all servers are peers and any can make changes to the DNS database. Additionally, zone transfers are incremental so that only changed records are synchronized.
Windows 2000 Server also supports RFC 1995-compliant incremental zone transfers when using standard zone files. This incremental zone transfer method permits a secondary DNS server to pull only the zone changes that it needs to synchronize its copy of the zone data with the primary server's. If the serial number of the primary DNS server's zone file matches that of the secondary DNS server's serial number, no changes were made, so no zone transfer need take place.
Incremental zone transfers occur only if both servers support this feature. When performing zone transfers with Windows NT 4 DNS servers or other DNS servers that don't support this feature, a full zone transfer occurs. In a full zone transfer, the entire contents of the zone file are pulled from the primary DNS server by the secondary server.
If the DNS server is a secondary DNS server on a zone, the server is already configured to perform zone transfers with the master server in the zone. If the server is a primary server in the zone, the server is configured to perform zone transfers with any DNS servers that request them. This situation can be a potential security problem if someone wants to create a rogue DNS server and pull the zone data, so you might want to allow only certain DNS servers to perform zone transfers with the server. To modify the way zone transfers occur on the DNS server, follow these steps:
Figure 14-22. The Zone Transfers tab of the Properties dialog box.
Figure 14-23. The Notify dialog box.
Windows 2000 DNS servers perform fast zone transfers with data compression and multiple resource records sent in each message when transferring zones to other Windows DNS servers. This zone transfer method works with all Windows DNS servers, and BIND DNS servers version 4.9.4 or later (although Windows 2000 DNS servers should run Service Pack 3 or newer if receiving zone information from BIND 9.x servers).
If you are using BIND DNS servers, check whether Windows has fast transfers enabled. To perform zone transfers with BIND servers earlier than version 4.9.4, you need to disable this fast zone transfer method.
Although you can use Windows 2000 DNS servers and Active Directory in conjunction with Windows NT 4 Service Pack 4 DNS servers and BIND servers later than version 4.9.4, for best compatibility use Windows 2000 or BIND 8.2 or newer DNS servers. BIND versions 8.2 and later support incremental zone transfers, and BIND versions 8.1.2 and later support dynamic updates.
To toggle support for fast transfers, turn off the BIND Secondaries option. To do so, use the following procedure:
The DNS servers in Windows NT 4 and BIND 4.9.x are somewhat of a management headache because of the lack of dynamic updates. Every time a host is given a new IP address, an administrator has to manually update the DNS zone file with the new IP address.
Fortunately, the Windows 2000 DNS server implements RFC 2136-compliant dynamic updates. These dynamic updates allow Windows XP and Windows 2000 clients to update their own forward lookup DNS records, and they allow DHCP servers to update the forward and reverse lookup records of all legacy clients (if this option is enabled in DHCP). They also allow you to scavenge records that haven't been refreshed in a long time, reducing the gradual bloat that happens with DNS databases. (See Chapter 13 for more information about setting up aging and scavenging parameters.)
If you didn't turn on dynamic updates when you configured the DNS server, follow these steps to do so:
For dynamic DNS to work properly, DHCP servers must be configured to update the DNS server when a client's IP address changes. Windows 2000 Server-based DHCP servers are set up to dynamically update DNS for Windows XP and Windows 2000 clients by default. Dynamic updates for legacy systems must be specifically enabled on the DHCP server.
WINS allows NetBIOS names to be resolved into IP addresses. This capability is important for networks that support large numbers of pre-Windows 2000 Microsoft clients. DNS can work with WINS to search the entire combined DNS and NetBIOS namespace, if necessary, when a client attempts to resolve a host name.
In Windows NT 4, enabling WINS resolution within DNS is essential to successfully resolving hosts that might have recently changed IP addresses—the dynamic WINS database provides an up-to-date IP address when the static DNS zone file can't. However, with Windows XP and the Windows 2000 family, dynamic updates to the DNS server eliminate the need to use WINS servers to keep the namespace up to date, and WINS is gradually phased out.
To enable WINS resolution in a zone, follow these steps:
You will find more about setting up WINS in the section Setting Up a WINS Server, later in this chapter.
No name server is able to answer the queries of all clients; sometimes clients request a DNS name that isn't in a zone managed by the DNS server, let's say example.microsoft.com. The DNS server goes to the Internet to the top level of the DNS domain tree. The top-level DNS servers then provide the address of the DNS server for the first level (.com). This server in turn provides the address of the microsoft.com DNS server, which then provides the address of example.microsoft.com's DNS server.
This process is called recursion, and it takes time and a number of trips out to the Internet by the DNS server. In a network with multiple DNS servers and domains, it can be advantageous to have DNS servers forward their unresolved queries to another DNS server. This server then either replies with the desired record from its own DNS zone, or hunts down the unresolved query and reports back to the DNS server that forwarded the request. This can reduce WAN link usage in two ways:
To configure the DNS server to forward unresolved queries to another DNS server, follow these steps:
For security reasons, a single DNS server typically forwards queries from the internal network to a DNS server on the other side of the firewall. All other internal DNS servers forward their queries to the designated forwarder to be passed on to the external name server (or resolved from the forwarder's cache file).
Figure 14-24. Setting up DNS forwarders.
Root hints tell a DNS server where to look to find the DNS servers authoritative for the top level of the domain structure. Root hints for the Internet's root servers are automatically installed in the Cache.dns file located in the %SystemRoot%\System32\Dns folder.
If the DNS server only needs to resolve names in the private network, you must provide the locations of the top-level DNS servers for the network, either through the DNS console (as described next) or by manually editing the Cache.dns file. Alternatively, you can import root hints from another server.
If the server is the root of the network's namespace and doesn't resolve Internet host names, you can delete the Cache.dns file.
To update root hints on the server, use the following procedure:
Figure 14-25. Updating root hints.
Caching-only servers are DNS servers that don't host any zones and that aren't authoritative for any domains—they simply cache the queries that they perform on behalf of the clients that use the server. Caching-only servers are useful for sites that use a slow WAN link to other DNS servers. By simply caching queries instead of holding its own zone files, a caching-only server reduces network traffic because it never performs any zone transfers. To set up a caching-only server, follow these steps:
Figure 14-26. The Select Target Computer dialog box.
The DNS server is added to the DNS console on the caching server. The caching server performs recursive queries on behalf of its clients and over time accumulates resource records for answering future queries. You can clear the cache on a caching server by right-clicking the server's name in the DNS console and selecting Clear Cache from the shortcut menu.