N ame services are essential for communications for Transmission Control Protocol/ Internet Protocol (TCP/IP) networking. Windows Server 2008 uses the Domain Name System (DNS) as its primary method of name resolution. DNS enables computers to register and resolve DNS domain names. DNS defi nes the rules under which com- puters are named and how names are resolved to IP addresses. Windows Server 2008 also supports Windows Internet Naming Service (WINS), which is covered in detail in Chapter 25, “Implementing and Maintaining WINS.” WINS provides a similar service for NetBIOS names as DNS provides for DNS domain names. WINS maps NetBIOS names to IP addresses for hosts running NetBIOS over TCP/IP. Installing the DNS Server Service The way you install the DNS Server service depends on whether you plan to use DNS with the Active Directory or without Active Directory. After you make that decision, you can install DNS as necessary. Using DNS with Active Directory On a domain with Active Directory, DNS is required to install the fi rst domain control- ler in a domain. Active Directory doesn’t necessarily require Windows DNS, however. Active Directory is designed to work with any DNS server that supports dynamic updates and Service Location (SRV) records. This means Active Directory can work with any DNS server running Berkeley Internet Name Domain (BIND) version 8.1.2 or later. If you have DNS servers that use BIND version 8.1.2 or later, you can use those servers. If you don’t already have BIND servers, you probably won’t want to set these up because there are many benefi ts to using the Microsoft DNS Server service. When you install the DNS Server service as part of the Active Directory installation process, you can use Active Directory–integrated zones and take advantage of the many replication and security benefi ts of Active Directory. Here, any server confi gured as a domain controller with DNS and using Active Directory–integrated zones is an Active Directory primary name server. Installing the DNS Server Service . . . . . . . . . . . . . . . . . . 767 Configuring DNS Using the Wizard . . . . . . . . . . . . . . . . 773 Configuring DNS Zones, Subdomains, Forwarders, and Zone Transfers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 783 Adding Resource Records . . . . . . . . . . . . . . . . . . . . . . . . 794 Deploying Global Names . . . . . . . . . . . . . . . . . . . . . . . . 803 Maintaining and Monitoring DNS . . . . . . . . . . . . . . . . . 804 Troubleshooting the DNS Client Service . . . . . . . . . . . . 809 Troubleshooting the DNS Server Service . . . . . . . . . . . 812 CHAPTER 24 Implementing and Managing DNS 767 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Here’s how installation of DNS on the fi rst domain controller in a domain works: 1. You use the Domain Controller Promotion tool (Dcpromo.exe) to install the fi rst domain controller. During the installation process, you are prompted to specify the Active Directory domain name, as shown in the following screen. This sets the DNS name for the domain as well. Note For more information about promoting domain controllers, see “Installing Active Direc- tory Domain Services” on page 1112. 2. When the Active Directory installation process begins, the Active Directory Domain Services Installation Wizard will check the current DNS confi guration. If no authoritative DNS servers are available for the domain, the wizard selects DNS Server as an additional installation option, as shown in the following screen: Note For more information about promoting domain controllers, see “Installing Active Direc- tory Domain Services” on page 1112. Chapter 24 768 Chapter 24 Implementing and Managing DNS Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 3. In most cases, you’ll want to install DNS. If you install DNS, the Active Directory Domain Services Installation Wizard will install and then confi gure DNS. As the next screen shows, this means a forward lookup zone will be created for the domain. The forward lookup zone will have the Start of Authority (SOA), Name Server (NS), and host Address (A) records for the server you are working with. This designates it as the authoritative name server for the domain. If desired, you can also create reverse lookup zones to allow for IP address to host name lookups. DNS servers support IPv4 and IPv6 for reverse lookups. 4. For the fi rst DNS server in a forest, the Active Directory Domain Services Installation Wizard creates the forest-side locator records and stores them in the _msdcs subdomain. Windows Server 2008 creates this as a separate zone, which is referred to as the forest root zone. Installing the DNS Server Service 769 Chapter 24 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. The forest root zone is an important part of Active Directory. It is in this zone that Active Directory creates SRV resource records used when clients are looking for a par- ticular resource such as global catalog servers, Lightweight Directory Access Protocol (LDAP) servers, and Kerberos servers. The _msdcs subdomain is created as its own zone to improve performance with remote sites. With Windows 2000, remote sites have to replicate the entire DNS database to access forest root records, which means increased replication and bandwidth usage. As a separate zone, only the zone will be replicated to the DNS servers in remote sites as long as Active Directory application partitions are used. In Windows Server 2008, you can enable application partitions for use with DNS as discussed in “Confi guring Default Application Directory Partitions and Replication Scope” on page 804. On subsequent domain controllers, you must specifi cally install the DNS Server ser- vice. You do this using the Add Roles Wizard as detailed in “DNS Setup” on the next page. In an Active Directory domain, secondary and stub zones can also be useful, as dis- cussed in “DNS Zones and Zone Transfers” on page 749. In fact, in certain situations you might have to use a secondary or stub zone for name resolution to work prop- erly. Consider the case when you have multiple trees in a forest, each in their own namespace. For instance, City Power & Light and The Phone Company are both part of one company and use the domains cpandl.com and thephone-company.com, respec- tively. If the namespaces for these domains are set up as separate trees of the same forest, your organization would have two namespaces. In the cpandl.com domain, you might want users to be able to access resources in thephone-company.com domain and vice versa. To do this, you would confi gure DNS as shown in Figure 24-1. Active Directory replication Active Directory sales.cpandl.com Active Directory tech.cpandl.com Active Directory replication Active Directory DNS Secondary zone DNS thephone-company.com Secondary zone DNS Active Directory DNS cpandl.com Zone transfer Zone transfer Figure 24-1 Using secondary zones with Active Directory. SIDE OUT Forest root zones The forest root zone is an important part of Active Directory. It is in this zone that Active Directory creates SRV resource records used when clients are looking for a par- ticular resource such as global catalog servers, Lightweight Directory Access Protocol (LDAP) servers, and Kerberos servers. The _msdcs subdomain is created as its own zone to improve performance with remote sites. With Windows 2000, remote sites have to replicate the entire DNS database to access forest root records, which means increased replication and bandwidth usage. As a separate zone, only the zone will be replicated to the DNS servers in remote sites as long as Active Directory application partitions are used. In Windows Server 2008, you can enable application partitions for use with DNS as discussed in “Confi guring Default Application Directory Partitions and Replication Scope” on page 804. Chapter 24 770 Chapter 24 Implementing and Managing DNS Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. The implementation steps for this example are as follows: 1. Set up a secondary or stub zone for thephone-company.com on the authoritative name server for cpandl.com. 2. Set up a secondary or stub zone for cpandl.com on the authoritative name server for thephone-company.com. 3. Confi gure zone transfers between cpandl.com and thephone-company.com. 4. Confi gure zone transfers between thephone-company.com and cpandl.com. Using DNS Without Active Directory On a domain without Active Directory, DNS servers act as standard primary or stan- dard secondary name servers. You must install the DNS Server service on each primary or secondary server. You do this using the Add Roles Wizard as detailed in the next section. On primary name servers, you confi gure primary zones for forward lookups and as nec- essary for reverse lookups. The forward lookup zone will have SOA, NS, and A records for the server you are working with. This designates it as the authoritative name server for the domain. You can also create reverse lookup zones to allow for IP address to host name lookups. On secondary name servers, you confi gure secondary zones to store copies of the records on the primary name server. You can create secondary zones for the forward lookup zones as well as the reverse lookup zones confi gured on the primary. Stub zones and forwarders are also options for these DNS servers. DNS Setup You can install the DNS Server service by completing the following steps: 1. In Server Manager, select the Roles node in the left pane and then click Add Roles. This starts the Add Roles Wizard. If the wizard displays the Before You Begin page, read the welcome message and then click Next. 2. On the Select Server Roles page, select DNS Server and then click Next twice. 3. Click Install. The wizard installs DNS Server. From now on, the DNS Server service should start automatically each time you reboot the server. If it doesn’t start, you’ll need to start it manually. After you install the DNS Server service, the DNS console is available on the Adminis- trative Tools menu. Start the console by clicking Start, Administrative Tools, DNS. Then select the DNS server you are working with to see its status as shown in Figure 24-2. This is telling you to create a scope so that the clients can get IP addresses dynamically assigned by this server. Installing the DNS Server Service 771 Chapter 24 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Figure 24-2 The DNS console. You don’t have to complete the rest of the confi guration at the server. You can remotely manage and confi gure DNS. Simply start the DNS console on your computer, right-click the DNS node in the left pane, and select Connect To DNS Server. In the Connect To DNS Server dialog box, select The Following Computer, type the name or IP address of the DNS server, and then click OK. In the DNS console, host addresses are displayed as IPv4 or IPv6 addresses as appropriate. The command-line counterpart to the DNS console is Dnscmd. The Dnscmd command- line tool accepts addresses in IPv4 and IPv6 format. From the command prompt on a computer running Windows Server 2008, you can use Dnscmd to perform most of the tasks available in the DNS console as well as to perform many troubleshooting tasks that are specifi c to Dnscmd. Unlike Netsh, Dnscmd doesn’t offer internal command prompts. You can specify only the server you want to work with followed by the com- mand and the command-line options to use for that command. Thus, the syntax is as follows: dnscmd ServerName Command CommandOptions where  ServerName is the name or IP address of the DNS server you want to work with, such as CORPSVR03 or 192.168.10.15.  Command is the command to use.  CommandOptions are the options for the command. Note If you are working on the server you want to confi gure, you don’t have to type the server name or IP address. Note If you are working on the server you want to confi gure, you don’t have to type the server name or IP address. Chapter 24 772 Chapter 24 Implementing and Managing DNS Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. After you set up a DNS server, the setup process should confi gure the server’s TCP/IP settings so that the server attempts to resolve its own DNS queries. Setup does this by setting the server’s primary DNS server address to its own address for both IPv4 and IPv6. You can confi rm this by entering ipconfi g /all at a command prompt. In the out- put of the command, you should see that the DNS servers are set as:  ::1  127.0.0.1 ::1 is the local loopback address for IPv6 and 127.0.0.1 is the local loopback address for IPv4. If necessary, you can modify the DNS server entries as discussed in Chapter 21, “Managing TCP/IP Networking.” For Preferred DNS Server, type the computer’s own IP address. Set an alternate DNS server as necessary. You can also set the preferred DNS server IP address from the command line. Type the following command: netsh interface ip set dns ConnectionName static ServerIPAddress where ConnectionName is the name of the local area connection and ServerIPAddress is the IP address of the server. Consider the following example: netsh interface ip set dns "Local Area Connection" static 192.168.1.100 Here, you set the preferred DNS server address for the network connection named Local Area Connection to 192.168.1.100. The Static option says that you want to use the local setting for DNS rather than the Dynamic Host Confi guration Protocol (DHCP) setting when applicable. You can confi rm the new setting by typing ipconfi g /all at the command prompt and checking for the DNS server entry. The server should have the same setting for the IP address and primary DNS server. Confi guring DNS Using the Wizard From the DNS console, you can start the Confi gure A DNS Server Wizard and use it to help you set up a DNS server. This wizard is useful for helping you confi gure small networks that work with Internet service providers (ISPs) and large networks that use forwarding. Configuring DNS Using the Wizard 773 Chapter 24 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. For small networks, the Confi gure A DNS Server Wizard creates only a forward lookup zone. For large networks, the Confi gure A DNS Server Wizard creates a forward lookup zone and a reverse lookup zone. This might get you to thinking whether reverse lookup zones are needed on your network. Computers use reverse lookups to fi nd out who is contacting them. Often this is so that they can display a host name to users rather than an IP address. So, although a reverse lookup zone isn’t created by the Confi gure A DNS Server Wizard for small networks, you might still want to create one. If so, follow the pro- cedure discussed in “Creating Reverse Lookup Zones” on page 785. Confi guring a Small Network Using the Confi gure A DNS Server Wizard For a small network, you can use the wizard to set up your forward lookup zone and query forwarding to your ISP or other DNS servers. You can also choose to confi gure this zone as a primary or secondary zone. You use the primary zone option if your orga- nization maintains its own zone. You use the secondary zone if your ISP maintains your zone. This gives you a read-only copy of the zone that can be used by internal clients. Because small networks don’t normally need reverse lookup zones, these are not cre- ated. You can, of course, create these zones later if needed. To confi gure a small network using the Confi gure A DNS Server Wizard, follow these steps: 1. Right-click the server entry in the DNS console, select Confi gure A Server, and then when the wizard starts, click Next. Note If the server you want to work with isn’t shown, right-click the DNS node in the left pane, and select Connect To DNS Server. In the Connect To DNS Server dialog box, select The Following Computer, type the name or IP address of the DNS server, and then click OK. 2. Choose Create A Forward Lookup Zone (Recommended For Small Networks), as shown in Figure 24-3, and then click Next. SIDE OUT Are reverse lookups needed? For small networks, the Confi gure A DNS Server Wizard creates only a forward lookup zone. For large networks, the Confi gure A DNS Server Wizard creates a forward lookup zone and a reverse lookup zone. This might get you to thinking whether reverse lookup zones are needed on your network. Computers use reverse lookups to fi nd out who is contacting them. Often this is so that they can display a host name to users rather than an IP address. So, although a reverse lookup zone isn’t created by the Confi gure A DNS Server Wizard for small networks, you might still want to create one. If so, follow the pro- cedure discussed in “Creating Reverse Lookup Zones” on page 785. Note If the server you want to work with isn’t shown, right-click the DNS node in the left pane, and select Connect To DNS Server. In the Connect To DNS Server dialog box, select The Following Computer, type the name or IP address of the DNS server, and then click OK. Chapter 24 774 Chapter 24 Implementing and Managing DNS Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Note If Active Directory is installed on the network, this zone will be automatically integrated with Active Directory. To avoid this, you can choose the second option, Create Forward And Reverse Lookup Zones (Recommended For Large Networks), and then proceed as discussed in “Confi guring a Large Network Using the Confi gure A DNS Server Wizard” on page 778. When the wizard gets to the reverse lookup zone confi guration part, you can skip this if you don’t want to create a reverse lookup zone. Figure 24-3 Select the first option to configure DNS for a small network. 3. As shown in Figure 24-4, you can now choose whether the DNS server or your ISP maintains the zone and then click Next. Keep the following in mind:  If the DNS server maintains the zone, the wizard confi gures a primary zone that you control. This allows you to create and manage the DNS records for the organization.  If your ISP maintains the zone, the wizard confi gures a secondary zone that will get its information from your ISP. This means the staff at the ISP will need to create and manage the DNS records for the organization—and you will need to pay them to do so. Note If Active Directory is installed on the network, this zone will be automatically integrated with Active Directory. To avoid this, you can choose the second option, Create Forward And Reverse Lookup Zones (Recommended For Large Networks), and then proceed as discussed in “Confi guring a Large Network Using the Confi gure A DNS Server Wizard” on page 778. When the wizard gets to the reverse lookup zone confi guration part, you can skip this if you don’t want to create a reverse lookup zone. Configuring DNS Using the Wizard 775 Chapter 24 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Figure 24-4 Specify whether the zone will be maintained on the server or by your ISP. 4. On the Zone Name page, type the full DNS name for the zone. The zone name should help determine how the zone fi ts into the DNS domain hierarchy. For example, if you’re creating the primary server for the cpandl.com domain, you should type cpandl.com as the zone name. Click Next. 5. If your ISP maintains the zone, you see the Master DNS Servers page, as shown in Figure 24-5. Type the IP address of the primary DNS server that’s maintaining the zone for you, and then press Enter. Repeat this step to specify additional name servers at your ISP. The wizard will automatically validate the IP address or addresses you’ve entered. Zone transfers will be confi gured to copy the zone information from these DNS servers. 6. If you choose to maintain the zone, you see the Dynamic Update page, as shown in Figure 24-6. Choose how you want to confi gure dynamic updates, and then click Next. You can use one of these options:  Allow Only Secure Dynamic Updates—This option is available only on domain controllers and when Active Directory is deployed. It provides for the best security possible by restricting which clients can perform dynamic updates.  Allow Both Nonsecure And Secure Dynamic Updates—This option allows any client to update resource records in DNS. Although it allows both secure and nonsecure updates, it doesn’t validate updates, which means dynamic updates are accepted from any client.  Do Not Allow Dynamic Updates—This option disables dynamic updates in DNS. You should use this option only when the zone isn’t integrated with Active Directory. Chapter 24 776 Chapter 24 Implementing and Managing DNS Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... transfer options: To Any Server Select To Any Server to allow any DNS server to request zone transfers Only To Servers Listed On The Name Servers Tab Select Only To Servers Listed On The Name Servers Tab to restrict transfers to name servers listed on the Name Servers tab, and then click the Name Servers tab Then complete these steps: 1 The Name Servers list shows the DNS servers currently configured... check box You have two notification options: Servers Listed On The Name Servers Tab Select Servers Listed On The Name Servers Tab to notify only the name servers listed on the Name Servers tab The Following Servers Select The Following Servers to specify the name servers that should be notified Then complete these steps: 1 Type the IP address of a secondary server that should receive notification, and... resources are only forwarded to your designated servers The DNS Server service can send queries to IPv4, IPv4 and IPv6, and IPv6-only servers To configure a large network using the Configure A DNS Server Wizard, follow these steps: 1 Right-click the server entry in the DNS console, and select Configure A Server When the wizard starts, click Next Note If the server you want to work with isn’t shown, right-click... includes DNS servers that host secondary zones If a secondary server isn’t listed and you want to authorize the server to request zone transfers, click Add This displays the New Name Server Record dialog box Chapter 24 2 In the Server Fully Qualified Domain Name (FQDN) field, type the fully qualified host name of a secondary server for the domain, and then click Resolve The wizard then validates name server. .. zone transfers on primary name servers If a server is a secondary name server, it is already configured to perform zone transfers with the primary name server in the zone Using the DNS console, you can enable zone transfers on a primary name server and restrict the secondary name servers that can request zone transfers In the DNS console, expand the node for the primary name server, and then expand the... of the mail exchange server in the Fully Qualified Domain Name (FQDN) Of Mail Server box, such as exchange.cpandl.com This is the name used to route mail for delivery Chapter 24 4 Specify the priority of the mail server relative to other mail servers in the domain The mail server with the lowest priority is the mail server that is tried fi rst when mail must be routed to a mail server in the domain 5... name 5 On the Name Servers page, click Add As shown in Figure 24-13, the New Name Server Record dialog box is displayed Figure 24-13 Specify the server name and IP address Chapter 24 6 In the Server Fully Qualified Domain Name (FQDN) box, type the fully qualified host name of a DNS server for the subdomain, such as ns1.ny.cpandl.com, and then click Resolve The wizard then validates name server and fi lls... Click OK to close the New Name Server Record dialog box Repeat steps 5 and 6 to specify other authoritative DNS servers for the subdomain 8 Click Next, and then click Finish Configuring Zone Transfers Zone transfers are used to send a read-only copy of zone information to secondary DNS servers, which can be located in the same domain or in other domains Windows Server 2008 supports three zone transfer... zones If you have secondary name servers, these name servers can’t automatically request standard or incremental zone transfers To allow this, you must first enable zone transfers on the primary name server Zone transfers are disabled by default to enhance DNS server security Speaking of security, although you can allow zone transfers to any DNS server, this opens the server to possible attack It is... Records on Primary Servers When you create records or make changes to records, you should do so on a primary server For Active Directory–integrated zones, this means any domain controller running the DNS Server service For standard zones, this means the primary name server only After you make changes to standard zones, right-click the server entry in the DNS console and select Update Server Data Files . puters are named and how names are resolved to IP addresses. Windows Server 2008 also supports Windows Internet Naming Service (WINS), which is covered in. _msdcs subdomain. Windows Server 2008 creates this as a separate zone, which is referred to as the forest root zone. Installing the DNS Server Service 769