Windows Server 2012 R2 Pocket Consultant: Storage, Security, & Networking (2014)
Chapter 9. Optimizing DNS
§ Understanding DNS
§ Configuring name resolution on DNS clients
§ Installing DNS servers
§ Managing DNS servers
§ Managing DNS records
§ Updating zone properties and the SOA record
§ Managing DNS server configuration and security
This chapter discusses the techniques you use to set up and manage Domain Name System (DNS) on a network. DNS is a name-resolution service that resolves computer names to IP addresses. When you use DNS, a fully qualified host name—omega.microsoft.com, for example—can be resolved to an IP address, which enables computers to find one another. DNS operates over the TCP/IP protocol stack and can be integrated with Windows Internet Name Service (WINS), Dynamic Host Configuration Protocol (DHCP), and Active Directory Domain Services (AD DS). Fully integrating DNS with these Windows networking features enables you to optimize DNS for Windows Server domains.
Understanding DNS
DNS organizes groups of computers into domains. These domains are organized into a hierarchical structure that can be defined on an Internet-wide basis for public networks or on an enterprise-wide basis for private networks (also known as extranets and intranets, respectively). The various levels within the hierarchy identify individual computers, organizational domains, and top-level domains. For the fully qualified host name omega.microsoft.com, omega represents the host name for an individual computer, microsoft is the organizational domain, and com is the top-level domain.
Top-level domains are at the root of the DNS hierarchy and are also called root domains. These domains are organized geographically, by organization type, and by function. Typical corporate domains, such as microsoft.com, are also referred to as parent domains because they’re the parents of an organizational structure. You can divide parent domains into subdomains you can use for groups or departments within your organization.
Subdomains are often referred to as child domains. For example, the fully qualified domain name (FQDN) for a computer within a human resources group could be designated as jacob.hr.microsoft.com. Here, jacob is the host name, hr is the child domain, and microsoft.com is the parent domain.
Integrating Active Directory and DNS
Active Directory domains use DNS to implement their naming structure and hierarchy. Active Directory and DNS are tightly integrated, so much so that you should install DNS on the network before you can install Active Directory Domain Services.
During installation of the first domain controller on an Active Directory network, you have the opportunity to automatically install DNS if a DNS server can’t be found on the network. You can also specify whether DNS and Active Directory should be integrated fully. In most cases, you should respond affirmatively to both requests. With full integration, DNS information is stored directly in Active Directory, which enables you to take advantage of Active Directory’s capabilities.
Understanding the difference between partial integration and full integration is very important:
§ Partial integration. With partial integration, the domain uses standard file storage. DNS information is stored in text-based files that end with the .dns extension. The default location of these files is %SystemRoot%\System32\Dns. Updates to DNS are handled through a single authoritative DNS server. This server is designated as the primary DNS server for the particular domain or an area within a domain called a zone. Clients that use dynamic DNS updates through DHCP must be configured to use the primary DNS server in the zone. If they aren’t, their DNS information won’t be updated. Likewise, dynamic updates through DHCP can’t be made if the primary DNS server is offline.
§ Full integration. With full integration, the domain uses directory-integrated storage. DNS information is stored directly in Active Directory and is available through the container for the dnsZone object. Because the information is part of Active Directory, any domain controller can access the data, and you can use a multimaster approach for dynamic updates through DHCP. This enables any domain controller running the DNS Server service to handle dynamic updates. Furthermore, clients that use dynamic DNS updates through DHCP can use any DNS server within the zone. An added benefit of directory integration is the ability to use directory security to control access to DNS information.
If you look at the way DNS information is replicated throughout the network, you will find more advantages to full integration with Active Directory. With partial integration, DNS information is stored and replicated separately from Active Directory. By having two separate structures, you reduce the effectiveness of both DNS and Active Directory and make administration more complex. Because DNS is less efficient than Active Directory at replicating changes, you might also increase network traffic and the amount of time required to replicate DNS changes throughout the network.
In early releases of the DNS Server service for Windows servers, restarting a DNS server could take an hour or more in large organizations with extremely large AD DS–integrated zones. The operation took this much time because the zone data was loaded in the foreground while the server was starting the DNS service. To ensure that DNS servers can be responsive after a restart, the DNS Server service for Windows Server 2008 R2 and later has been enhanced to load zone data from AD DS in the background while the service restarts. This ensures that the DNS server is responsive and can handle requests for data from other zones.
At startup, DNS servers running Windows Server 2008 R2 and later perform the following tasks:
§ Enumerate all zones to be loaded.
§ Load root hints from files or AD DS storage.
§ Load all zones that are stored in files rather than in AD DS.
§ Begin responding to queries and Remote Procedure Calls (RPCs).
§ Create one or more threads to load the zones that are stored in AD DS.
Because separate threads load zone data, the DNS server is able to respond to queries while zone loading is in progress. If a DNS client performs a query for a host in a zone that has already been loaded, the DNS server responds appropriately. If the query is for a host that has not yet been loaded into memory, the DNS server reads the host’s data from AD DS and updates its record list accordingly.
Enabling DNS on the network
To enable DNS on the network, you need to configure DNS clients and servers. When you configure DNS clients, you tell the clients the IP addresses of DNS servers on the network. By using these addresses, clients can communicate with DNS servers anywhere on the network, even if the servers are on different subnets.
NOTE
Configuring a DNS client is explained in Chapter 7. Configuring a DNS server is explained in the next section of this chapter.
The DNS client built into computers running Windows 7 and later, in addition to Windows Server 2008 R2 or later, supports DNS traffic over Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6). By default, IPv6 automatically configures the site-local address of DNS servers. To add the IPv6 addresses of your DNS servers, use the properties of the Internet Protocol Version 6 (TCP/IPv6) component in Network Connections or the following command:
netsh interface IPV6 ADD DNSSERVERS
In Windows PowerShell, you can use Get-NetIPInterface to list the available interfaces and then use Set-DNSClientServerAddress to set the IPv6 address on a specified interface.
DNS servers running Windows Server 2008 R2 or later support IPv6 addresses as fully as they support IPv4 addresses. In the DNS Manager console, host addresses are displayed as IPv4 or IPv6 addresses. The Dnscmd command-line tool also accepts addresses in either format. Additionally, DNS servers can now send recursive queries to IPv6-only servers, and the server forwarder list can contain both IPv4 and IPv6 addresses. Finally, DNS servers now support the ip6.arpa domain namespace for reverse lookups.
When the network uses DHCP, you should configure DHCP to work with DNS. DHCP clients can register IPv6 addresses along with or instead of IPv4 addresses. To ensure proper integration of DHCP and DNS, you need to set the DHCP scope options as specified in Setting scope options inChapter 8. For IPv4, you should set the 006 DNS Servers and 015 DNS Domain Name scope options. For IPv6, you should set the 00023 DNS Recursive Name Server IPV6 Address List and 00024 Domain Search List scope options. Additionally, if computers on the network need to be accessible from other Active Directory domains, you need to create records for them in DNS. DNS records are organized into zones, where a zone is an area within a domain.
DNS client computers running Windows 7 or later, in addition to Windows Server 2008 R2 or later, can use Link-Local Multicast Name Resolution (LLMNR) to resolve names on a local network segment when a DNS server is not available. They also periodically search for a domain controller in the domain to which they belong. This functionality helps avoid performance problems that might occur if a network or server failure causes a DNS client to create an association with a distant domain controller located on a slow link rather than a local domain controller. Previously, this association continued until the client was forced to seek a new domain controller, such as when the client computer was disconnected from the network for a long period of time. By periodically renewing its association with a domain controller, a DNS client can reduce the probability that it will be associated with an inappropriate domain controller.
The DNS client service for Windows 8 and later has several interoperability and security enhancements specific to LLMNR and NetBIOS. To improve security for mobile networking, the service
§ Does not send outbound LLMNR queries over mobile broadband or VPN interfaces.
§ Does not send outbound NetBIOS queries over mobile broadband.
For better compatibility with devices in power-saving mode, the LLMNR query timeout is set to 410 milliseconds (msec) for the first retry and 410 msec for the second retry, making the total timeout value 820 msec. To improve response times for all queries, the DNS client service does the following:
§ Issues LLMNR and NetBIOS queries in parallel, and optimizes for IPv4 and IPv6
§ Divides interfaces into networks to send parallel DNS queries
§ Uses asynchronous DNS cache with an optimized response timing
NOTE
You can configure a DNS client computer running Windows 7 or later, in addition to Windows Server 2008 R2 or later, to locate the nearest domain controller instead of searching randomly. This can improve performance in networks containing domains that exist across slow links. However, because of the network traffic this process generates, locating the nearest domain controller can have a negative impact on network performance.
Windows Server 2008 and later support read-only primary zones and the GlobalNames zone. To support read-only domain controllers (RODCs), the primary read-only zone is created automatically. When a computer becomes an RODC, it replicates a full read-only copy of all the application directory partitions that DNS uses, including the domain partition, ForestDNSZones, and DomainDNSZones. This ensures that the DNS server running on the RODC has a full read-only copy of any DNS zones. As an administrator of an RODC, you can view the contents of a primary read-only zone. You cannot, however, change the contents of a zone on the RODC. You can change the contents of the zone only on a standard domain controller.
To support all DNS environments and single-label name resolution, you can create a zone named GlobalNames. For optimal performance and cross-forest support, you should integrate this zone with AD DS and configure each authoritative DNS server with a local copy. When you use Service Location (SRV) resource records to publish the location of the GlobalNames zone, this zone provides unique, single-label computer names across the forest. Unlike WINS, the GlobalNames zone is intended to provide single-label name resolution for a subset of host names—typically, the CNAME resource records for your corporate servers. The GlobalNames zone is not intended to be used for peer-to-peer name resolution, such as name resolution for workstations. This is what LLMNR is for.
When the GlobalNames zone is configured appropriately, single-label name resolution works as follows:
1. The client’s primary DNS suffix is appended to the single-label name that the client is looking up, and the query is submitted to the DNS server.
2. If that computer’s full name is not resolved, the client requests resolution by using its DNS suffix search lists, if any.
3. If none of those names can be resolved, the client requests resolution by using the single-label name.
4. If the single-label name appears in the GlobalNames zone, the DNS server hosting the zone resolves the name. Otherwise, the query fails over to WINS.
The GlobalNames zone provides single-label name resolution only when all authoritative DNS servers are running Windows Server 2008 R2 and later. However, other DNS servers that are not authoritative for any zone can be running other operating systems. Dynamic updates in the GlobalNames zone are not supported.
Configuring name resolution on DNS clients
The best way to configure name resolution for DNS clients depends on the configuration of your network. If computers use DHCP, you probably want to configure DNS through settings on the DHCP server. If computers use static IP addresses or you want to configure DNS specifically for an individual system, you should configure DNS manually.
You can configure DNS settings on the DNS tab of the Advanced TCP/IP Settings dialog box. To access this dialog box, follow these steps:
1. Open Network And Sharing Center, and then tap or click Change Adapter Settings.
2. In Network Connections, press and hold or right-click the connection with which you want to work, and then tap or click Properties.
3. Double-tap or double-click Internet Protocol Version 6 (TCP/IPv6) or Internet Protocol Version 4 (TCP/IPv4), depending on the type of IP address you are configuring.
4. If the computer is using DHCP and you want DHCP to specify the DNS server address, select Obtain DNS Server Address Automatically. Otherwise, select Use The Following DNS Server Addresses, and then enter primary and alternate DNS server addresses in the text boxes provided.
5. Tap or click Advanced to display the Advanced TCP/IP Settings dialog box. In this dialog box, tap or click the DNS tab.
You use the options of the DNS tab as follows:
§ DNS Server Addresses, In Order Of Use. Use this area to specify the IP address of each DNS server that is used for domain name resolution. Tap or click Add if you want to add a server IP address to the list. Tap or click Remove to remove a selected server address from the list. Tap or click Edit to edit the selected entry. You can specify multiple servers for DNS resolution. Their priority is determined by the order. If the first server isn’t available to respond to a host name resolution request, the next DNS server in the list is accessed, and so on. To change the position of a server in the list box, select it, and then use the up or down arrow.
§ Append Primary And Connection Specific DNS Suffixes. Typically, this option is selected by default. Select this option to resolve unqualified computer names in the primary domain. For example, if the computer name Gandolf is used and the parent domain is microsoft.com, the computer name would resolve to gandolf.microsoft.com. If the fully qualified computer name doesn’t exist in the parent domain, the query fails. The parent domain used is the one set on the Computer Name tab in the System Properties dialog box. (Tap or click System And Security\System in Control Panel, tap or click Change Settings, and then display the Computer Name tab to check the settings.)
§ Append Parent Suffixes Of The Primary DNS Suffix. This option is selected by default. Select this option to resolve unqualified computer names by using the parent/child domain hierarchy. If a query fails in the immediate parent domain, the suffix for the parent of the parent domain is used to try to resolve the query. This process continues until the top of the DNS domain hierarchy is reached. For example, if the computer name Gandolf is used in the dev.microsoft.com domain, DNS would attempt to resolve the computer name to gandolf.dev.microsoft.com. If this didn’t work, DNS would attempt to resolve the computer name to gandolf.microsoft.com.
§ Append These DNS Suffixes (In Order). Select this option to set specific DNS suffixes to use rather than resolving through the parent domain. Tap or click Add if you want to add a domain suffix to the list. Tap or click Remove to remove a selected domain suffix from the list. Tap or click Edit to edit the selected entry. You can specify multiple domain suffixes, which are used in order. If the first suffix is not resolved properly, DNS attempts to use the next suffix in the list. If this fails, the next suffix is used, and so on. To change the order of the domain suffixes, select the suffix, and then use the up or down arrow to change its position. This option is especially useful in hybrid namespaces where there are multiple parent domain names.
§ DNS Suffix For This Connection. This option sets a specific DNS suffix for the connection that overrides DNS names already configured for use on this connection. You usually set the DNS domain name on the Computer Name tab of the System Properties dialog box.
§ Register This Connection’s Addresses In DNS. Select this option if you want all IP addresses for this connection to be registered in DNS under the computer’s fully qualified domain name. This option is selected by default.
NOTE
Dynamic DNS updates are used in conjunction with DHCP to enable a client to update its A (Host Address) record if its IP address changes and to enable the DHCP server to update the PTR (Pointer) record for the client on the DNS server. You can also configure DHCP servers to update both the A and PTR records on the client’s behalf. Dynamic DNS updates are supported by DNS servers with BIND 8.2.1 or later in addition to all server versions of Windows.
§ Use This Connection’s DNS Suffix In DNS Registration. Select this option if you want all IP addresses for this connection to be registered in DNS under the parent domain.
Installing DNS servers
You can configure any Windows Server 2012 R2 system as a DNS server. Four types of DNS servers are available:
§ Active Directory–integrated primary server. A DNS server that’s fully integrated with Active Directory. All DNS data is stored directly in Active Directory.
§ Primary server. The main DNS server for a domain that is partially integrated with Active Directory. This server stores a master copy of DNS records and the domain’s configuration files. These files are stored as text files with the .dns extension.
§ Secondary server. A DNS server that provides backup services for the domain. This server stores a copy of DNS records obtained from a primary server and relies on zone transfers for updates. Secondary servers obtain their DNS information from a primary server when they are started, and they maintain this information until the information is refreshed or expired.
§ Forwarding-only server. A server that caches DNS information after lookups and always passes requests to other servers. These servers maintain DNS information until it’s refreshed or expired or until the server is restarted. Unlike secondary servers, forwarding-only servers don’t request full copies of a zone’s database files. This means that when you start a forwarding-only server, its database contains no information.
Before you configure a DNS server, you must install the DNS Server service. Then you can configure the server to provide integrated, primary, secondary, or forwarding-only DNS services.
Installing and configuring the DNS Server service
All domain controllers can act as DNS servers, and you might be prompted to install and configure DNS during installation of the domain controller. If you respond affirmatively to the prompts, DNS is already installed, and the default configuration is set automatically. You don’t need to reinstall.
If you’re working with a member server instead of a domain controller, or if you haven’t installed DNS, follow these steps to install DNS:
1. In Server Manager, tap or click Manage, and then tap or click Add Roles And Features, or select Add Roles And Features in the Quick Start pane to start the Add Roles And Features Wizard. If the wizard displays the Before You Begin page, read the Welcome text, and then tap or click Next.
2. On the Installation Type page, Role-Based Or Feature-Based Installation is selected by default. Tap or click Next.
3. On the Server Selection page, you can choose to install roles and features on running servers or virtual hard disks. Either select a server from the server pool or select a server from the server pool on which to mount a virtual hard disk (VHD). If you are adding roles and features to a VHD, tap or click Browse and then use the Browse For Virtual Hard Disks dialog box to locate the VHD. When you are ready to continue, tap or click Next.
NOTE
Only servers running Windows Server 2012 R2 and that have been added for management in Server Manager are listed.
4. On the Server Roles page, select DNS Server. If additional features are required to install a role, you’ll get an additional dialog box. Tap or click Add Features to close the dialog box, and add the required features to the server installation. When you are ready to continue, tap or click Next three times.
5. If the server on which you want to install the DNS Server role doesn’t have all the required binary source files, the server gets the files via Windows Update by default or from a location specified in Group Policy.
NOTE
You also can specify an alternate path for the required source files. To do this, click the Specify An Alternate Source Path link, enter that alternate path in the box provided, and then tap or click OK. For network shares, enter the UNC path to the share, such as \\CorpServer82\WinServer2012\. For mounted Windows images, enter the Windows Imaging (WIM) path prefixed with WIM: and including the index of the image to use, such as WIM:\\CorpServer82\WinServer2012\install.wim:4.
6. Tap or click Install to begin the installation process. The Installation Progress page tracks the progress of the installation. If you close the wizard, tap or click the Notifications icon in Server Manager, and then tap or click the link provided to reopen the wizard.
7. When Setup finishes installing the DNS Server role, the Installation Progress page will be updated to reflect this. Review the installation details to ensure that the installation was successful.
8. From now on, the DNS Server service should start automatically each time you restart the server. If it doesn’t start, you need to start it manually. (See Starting and stopping a DNS server later in this chapter.)
9. After you install a DNS server, you use the DNS console to configure and manage DNS. In Server Manager, tap or click Tools, and then tap or click DNS to open the DNS Manager console, shown in Figure 9-1.
Figure 9-1. Use the DNS Manager console to manage DNS servers on the network.
10.If the server you want to configure isn’t listed in the tree view, you need to connect to the server. Press and hold or right-click DNS in the tree view, and then tap or click Connect To DNS Server. Now do one of the following:
o If you’re trying to connect to a local server, select This Computer, and then tap or click OK.
o If you’re trying to connect to a remote server, select The Following Computer, enter the server’s name or IP address, and then tap or click OK.
11.An entry for the DNS server should be listed in the tree view pane of the DNS Manager console. Press and hold or right-click the server entry, and then tap or click Configure A DNS Server to start the Configure A DNS Server Wizard. Tap or click Next.
12.On the Select Configuration Action page, shown in Figure 9-2, select Configure Root Hints Only to specify that only the base DNS structures should be created at this time.
Figure 9-2. Configure the root hints only to install the base DNS structures.
13.Tap or click Next. The wizard searches for existing DNS structures and modifies them as necessary.
14.Tap or click Finish to complete the process.
REAL WORLD
If the wizard wasn’t able to configure the root hints, you might need to configure them manually or copy them from another server. However, a default set of root hints is included with DNS Server, and these root hints should be added automatically. To confirm, press and hold or right-click the server entry in the DNS console, and then select Properties. In the Properties dialog box, the currently configured root hints are shown on the Root Hints tab.
Configuring a primary DNS server
Every domain should have a primary DNS server. You can integrate this server with Active Directory, or it can act as a standard primary server. Primary servers should have forward lookup zones and reverse lookup zones. You use forward lookups to resolve domain names to IP addresses. You need reverse lookups to authenticate DNS requests by resolving IP addresses to domain names or hosts.
After you install the DNS Server service on the server, you can configure a primary server by following these steps:
1. Start the DNS Manager console. If the server you want to configure isn’t listed, connect to it as described previously in Installing and configuring the DNS Server service.
2. An entry for the DNS server should be listed in the tree view pane of the DNS Manager console. Press and hold or right-click the server entry, and then tap or click New Zone to start the New Zone Wizard. Tap or click Next.
3. As Figure 9-3 shows, you can now select the zone type. If you’re configuring a primary server integrated with Active Directory (on a domain controller), select Primary Zone and be sure the Store The Zone In Active Directory check box is selected. If you don’t want to integrate DNS with Active Directory, select Primary Zone, and then clear the Store The Zone In Active Directory check box. Tap or click Next.
Figure 9-3. In the New Zone Wizard, select the zone type.
4. If you’re integrating the zone with Active Directory, choose one of the following replication strategies; otherwise, proceed to step 6.
o To All DNS Servers Running On Domain Controllers In This Forest Choose this strategy if you want the widest replication strategy. Remember, the Active Directory forest includes all domain trees that share the directory data with the current domain.
o To All DNS Servers Running On Domain Controllers In This Domain Choose this strategy if you want to replicate DNS information within the current domain.
o To All Domain Controllers In This Domain (For Windows 2000 Compatibility). Choose this strategy if you want to replicate DNS information to all domain controllers within the current domain, as needed for Windows 2000 compatibility. Although this strategy gives wider replication for DNS information within the domain and supports compatibility with Windows 2000, not every domain controller is a DNS server as well (nor do you need to configure every domain controller as a DNS server).
5. Tap or click Next. Select Forward Lookup Zone, and then tap or click Next.
6. Enter the full DNS name for the zone. The zone name should help determine how the server or zone fits into the DNS domain hierarchy. For example, if you’re creating the primary server for the microsoft.com domain, you would enter microsoft.com as the zone name. Tap or click Next.
7. If you’re configuring a primary zone that isn’t integrated with Active Directory, you need to set the zone file name. A default name for the zone’s DNS database file should be filled in for you. You can use this name or enter a new file name. Tap or click Next.
8. Specify whether dynamic updates are allowed. You have three options:
o Allow Only Secure Dynamic Updates. When the zone is integrated with Active Directory, you can use access control lists (ACLs) to restrict which clients can perform dynamic updates. With this option selected, only clients with authorized computer accounts and approved ACLs can dynamically update their resource records in DNS when changes occur.
o Allow Both Nonsecure And Secure Dynamic Updates. Choose this option to allow any client to update its resource records in DNS when changes occur. Clients can be secure or nonsecure.
o Do Not Allow Dynamic Updates. Choose this option to disable dynamic updates in DNS. You should use this option only when the zone isn’t integrated with Active Directory.
9. Tap or click Next, and then tap or click Finish to complete the process. The new zone is added to the server, and basic DNS records are created automatically.
10.A single DNS server can provide services for multiple domains. If you have multiple parent domains, such as microsoft.com and msn.com, you can repeat this process to configure other forward lookup zones. You also need to configure reverse lookup zones. Follow the steps listed inConfiguring reverse lookups later in this chapter.
11.You need to create additional records for any computers you want to make accessible to other DNS domains. To do this, follow the steps listed in Managing DNS records later in this chapter.
REAL WORLD
Most organizations have private and public areas of their network. The public network areas might be where web and external email servers reside. Your organization’s public network areas shouldn’t allow unrestricted access. Instead, public network areas should be configured as part of perimeter networks. (Perimeter networks are also known as DMZs, demilitarized zones, andscreened subnets. These are areas protected by your organization’s firewall that have restricted external access and no access to the internal network.) Otherwise, public network areas should be in a completely separate and firewall-protected area.
The private network areas are where the organization’s internal servers and work stations reside. On the public network areas, your DNS settings are in the public Internet space. Here, you might use a .com, .org, or .net DNS name that you’ve registered with an Internet registrar and public IP addresses that you’ve purchased or leased. On the private network areas, your DNS settings are in the private network space. Here, you might use adatum.com as your organization’s DNS name and private IP addresses, as discussed in Chapter 7.
Configuring a secondary DNS server
Secondary servers provide backup DNS services on the network. If you’re using full Active Directory integration, you don’t really need to configure secondaries. Instead, you should configure multiple domain controllers to handle DNS services. Active Directory replication will then handle replicating DNS information to your domain controllers. On the other hand, if you’re using partial integration, you might want to configure secondaries to lessen the load on the primary server. On a small or medium-size network, you might be able to use the name servers of your Internet service provider (ISP) as secondaries. In this case, you should contact your ISP to configure secondary DNS services for you. Alternatively, you can put your public DNS records on a dedicated, external DNS service while hosting your private DNS records entirely on your internal DNS servers.
Because secondary servers use forward lookup zones for most types of queries, you might not need reverse lookup zones. But reverse lookup zone files are essential for primary servers, and you must configure them for proper domain name resolution.
If you want to set up your own secondaries for backup services and load balancing, follow these steps:
1. Start the DNS Manager console. If the server you want to configure isn’t listed, connect to it as described previously.
2. Press and hold or right-click the server entry, and then tap or click New Zone to start the New Zone Wizard. Tap or click Next.
3. For Zone Type, select Secondary Zone. Tap or click Next.
4. Secondary servers can use both forward and reverse lookup zone files. You create the forward lookup zone first, so select Forward Lookup Zone, and then tap or click Next.
5. Enter the full DNS name for the zone, and then tap or click Next.
6. Tap or click in the Master Servers list, enter the IP address of the primary server for the zone, and then press Enter. The wizard then attempts to validate the server. If an error occurs, be sure the server is connected to the network and that you’ve entered the correct IP address. Also ensure that you’ve enabled zone transfers on the primary. If you want to copy zone data from other servers in case the first server isn’t available, repeat this step.
7. Tap or click Next, and then tap or click Finish. On a busy or large network, you might need to configure reverse lookup zones on secondaries. If so, follow the steps listed in the next section.
Configuring reverse lookups
Forward lookups are used to resolve domain names to IP addresses. Reverse lookups are used to resolve IP addresses to domain names. Each segment on your network should have a reverse lookup zone. For example, if you have the subnets 192.168.10.0, 192.168.11.0, and 192.168.12.0, you should have three reverse lookup zones.
The standard naming convention for reverse lookup zones is to enter the network ID in reverse order and then use the suffix in-addr.arpa. With the previous example, you’d have reverse lookup zones named 10.168.192.in-addr.arpa, 11.168.192.in-addr.arpa, and 12.168.192.in-addr.arpa. Records in the reverse lookup zone must be in sync with the forward lookup zone. If the zones get out of sync, authentication might fail for the domain.
You create reverse lookup zones by following these steps:
1. Start the DNS Manager console. If the server you want to configure isn’t listed, connect to it as described previously.
2. Press and hold or right-click the server entry, and then tap or click New Zone to start the New Zone Wizard. Tap or click Next.
3. If you’re configuring a primary server integrated with Active Directory (a domain controller), select Primary Zone and be sure that Store The Zone In Active Directory is selected. If you don’t want to integrate DNS with Active Directory, select Primary Zone, and then clear the Store The Zone In Active Directory check box. Tap or click Next.
4. If you’re configuring a reverse lookup zone for a secondary server, select Secondary Zone, and then tap or click Next.
5. If you’re integrating the zone with Active Directory, choose one of the following replication strategies:
o To All DNS Servers Running On Domain Controllers In This Forest Choose this strategy if you want the widest replication strategy. Remember, the Active Directory forest includes all domain trees that share the directory data with the current domain.
o To All DNS Servers Running On Domain Controllers In This Domain Choose this strategy if you want to replicate DNS information within the current domain.
o To All Domain Controllers In This Domain (For Windows 2000 Compatibility). Choose this strategy if you want to replicate DNS information to all domain controllers within the current domain, as needed for Windows 2000 compatibility. Although this strategy gives wider replication for DNS information within the domain, not every domain controller is a DNS server as well (and you don’t need to configure every domain controller as a DNS server either).
6. Select Reverse Lookup Zone, and then tap or click Next.
7. Choose whether you want to create a reverse lookup zone for IPv4 or IPv6 addresses, and then tap or click Next. Do one of the following:
o If you are configuring a reverse lookup zone for IPv4, enter the network ID for the reverse lookup zone. The values you enter set the default name for the reverse lookup zone. Tap or click Next.
o If you have multiple subnets on the same network, such as 192.168.10 and 192.168.11, you can enter only the network portion for the zone name. For example, you could enter 192.168. In this case, you’d have 168.192.in-addr.arpa as the zone name and allow the DNS Manager console to create the necessary subnet zones when needed.
o If you are configuring a reverse lookup zone for IPv6, enter the network prefix for the reverse lookup zone. The values you enter are used to automatically generate the related zone names. Depending on the prefix you enter, you can create up to eight zones. Tap or click Next.
8. If you’re configuring a primary or secondary server that isn’t integrated with Active Directory, you need to set the zone file name. A default name for the zone’s DNS database file should be filled in for you. You can use this name or enter a new file name. Tap or click Next.
9. Specify whether dynamic updates are allowed. You have three options:
o Allow Only Secure Dynamic Updates. When the zone is integrated with Active Directory, you can use ACLs to restrict which clients can perform dynamic updates. With this option selected, only clients with authorized computer accounts and approved ACLs can dynamically update their resource records in DNS when changes occur.
o Allow Both Nonsecure And Secure Dynamic Updates. Choose this option to allow any client to update its resource records in DNS when changes occur. Clients can be secure or nonsecure.
o Do Not Allow Dynamic Updates. Choosing this option disables dynamic updates in DNS. You should use this option only when the zone isn’t integrated with Active Directory.
10.Tap or click Next, and then tap or click Finish. The new zone is added to the server, and basic DNS records are created automatically.
After you set up the reverse lookup zones, you need to ensure that delegation for the zones is handled properly. Contact your networking team or your ISP to ensure that the zones are registered with the parent domain.
Configuring global names
The GlobalNames zone is a specially named forward lookup zone that should be integrated with AD DS. When all the DNS servers for your zones are running Windows Server 2008 or later releases, deploying a GlobalNames zone creates static, global records with single-label names, without relying on WINS. This enables users to access hosts by using single-label names rather than fully qualified domain names. You should use the GlobalNames zone when name resolution depends on DNS, such as when your organization is no longer using WINS and you are planning to deploy only IPv6. Because dynamic updates cannot be used to register updates in the GlobalNames zone, you should configure single-label name resolution only for your primary servers.
You can deploy a GlobalNames zone by completing the following steps:
1. In the DNS Manager console, select a DNS server that is also a domain controller. If the server you want to configure isn’t listed, connect to it as described previously in Installing and configuring the DNS Server service.
2. Press and hold or right-click the Forward Lookup Zones node, and then tap or click New Zone. In the New Zone Wizard, tap or click Next to accept the defaults to create a primary zone integrated with AD DS. On the Active Directory Zone Replication Scope page, choose to replicate the zone throughout the forest, and then tap or click Next. On the Zone Name page, enter GlobalNames as the zone name. Tap or click Next twice, and then tap or click Finish.
3. On every authoritative DNS server in the forest now and in the future, you need to enter the following at an elevated shell prompt:
Set-DnsServerGlobalNameZone -ComputerName ServerName –Enable $True
ServerName is the name of the DNS server that hosts the GlobalNames zone. To specify the local computer, just omit the –ComputerName parameter, such as
Set-DnsServerGlobalNameZone –Enable $True
4. For each server that you want users to be able to access by using a single-label name, add an alias (CNAME) record to the GlobalNames zone. In the DNS Manager console, press and hold or right-click the GlobalNames node, select New Alias (CNAME), and then use the dialog box provided to create the new resource record.
NOTE
An authoritative DNS server tries to resolve queries in the following order: by using local zone data, by using the GlobalNames zone, by using DNS suffixes, by using WINS. For dynamic updates, an authoritative DNS server checks the GlobalNames zone before checking the local zone data.
TIP
If you want DNS clients in another forest to use the GlobalNames zone for resolving names, you need to add an SRV resource record with the service name _globalnames._msdcs to that forest’s forestwide DNS partition. The record must specify the FQDN of the DNS server that hosts the GlobalNames zone.
Managing DNS servers
The DNS Manager console is the tool you use to manage local and remote DNS servers. As shown in Figure 9-4, the DNS Manager console’s main window is divided into two panes. The left pane makes it possible for you to access DNS servers and their zones. The right pane shows the details for the currently selected item. You can work with the DNS Manager console in three ways:
§ Double-tap or double-click an entry in the left pane to expand the list of files for the entry.
§ Select an entry in the left pane to display details such as zone status and domain records in the right pane.
§ Press and hold or right-click an entry to display a context menu.
Figure 9-4. Manage local and remote DNS servers by using the DNS Manager console.
The Forward Lookup Zones and Reverse Lookup Zones folders provide access to the domains and subnets configured for use on this server. When you select domain or subnet folders in the left pane, you can manage DNS records for the domain or subnet.
Adding and removing servers to manage
You can use the DNS Manager console to manage servers running DNS by following these steps:
1. Press and hold or right-click DNS in the console tree, and then tap or click Connect To DNS Server.
2. If you’re trying to connect to the local computer, select This Computer. Otherwise, select The Following Computer, and then enter the IP address or fully qualified host name of the remote computer with which you want to connect.
3. Tap or click OK. Windows Server 2012 R2 attempts to contact the server. If it makes contact, it adds the server to the console.
NOTE
If a server is offline or otherwise inaccessible because of security restrictions or problems with the Remote Procedure Call (RPC) service, the connection fails. You can still add the server to the console by tapping or clicking Yes when prompted.
In the DNS Manager console, you can delete a server by selecting its entry and then pressing Delete. When prompted, tap or click Yes to confirm the deletion. Deleting a server only removes it from the server list in the console tree. It doesn’t actually delete the server.
Starting and stopping a DNS server
To manage DNS servers, you use the DNS Server service. You can start, stop, pause, resume, and restart the DNS Server service in the Services node of Server Manager or from the command line. You can also manage the DNS Server service in the DNS Manager console. Press and hold or right-click the server you want to manage in the DNS Manager console, point to All Tasks, and then tap or click Start, Stop, Pause, Resume, or Restart as appropriate.
NOTE
In Server Manager, under the DNS Server node, expand the DNS node and then press and hold or right-click the server with which you want to work. On the shortcut menu, select Start Service, Stop Service, Pause Service, Resume Service, or Restart Service as appropriate.
Using DNSSEC and Signing Zones
Windows 7 or later versions, in addition to Windows Server 2008 R2 or later, support DNS Security Extensions (DNSSEC). DNSSEC is defined in several Request For Comments (RFCs), including RFCs 4033, 4034, and 4035. These RFCs add origin authority, data integrity, and authenticated denial of existence to DNS. With DNSSEC, there are the following additional resource records to learn about:
§ DNSKEY (Domain Name System Key)
§ RRSIG (Resource Record Signature)
§ NSEC (NextSECure)
§ DS (Domain Services)
The DNS client running on these operating systems can send queries that indicate support for DNSSEC, process related records, and determine whether a DNS server has validated records on its behalf. On Windows servers, DNSSEC allows your DNS servers to securely sign zones, to host DNSSEC-signed zones, to process related records, and to perform both validation and authentication. The way a DNS client works with DNSSEC is configured through the Name Resolution Policy Table (NRPT), which stores settings that define the DNS client’s behavior. Typically, you manage the NRPT through Group Policy.
When a DNS server hosting a signed zone receives a query, the server returns the digital signatures in addition to the requested records. A resolver or another server configured with a trust anchor for a signed zone or for a parent of a signed zone can obtain the public key of the public/private key pair and validate that the responses are authentic and have not been tampered with.
As part of your predeployment planning, you need to identify the DNS zones to secure with digital signatures. DNS Server for Windows Server 2012 R2 has the following significant enhancements for DNSSEC:
§ Support for dynamic updates in Active Directory–integrated zones. Previously, if an Active Directory domain zone was signed, you needed to manually update all SRV records and other resource records. This is no longer required because DNS Server now does this automatically.
§ Support for online signing, automated key management, and automated trust anchor distribution. Previously, you needed to configure and manage signings, keys, and trust anchors. This is no longer required because DNS Server now does this automatically.
§ Support for validations of records signed with updated DNSSEC standards including NSEC3 and RSA/SHA-2.
With Windows Server 2012 R2, an authoritative DNS server also can act as the Key Master for DNSSEC. The Key Master generates and manages signing keys for both Active Directory-integrated zones protected by DNSSEC and standard (file-backed) zones protected by DNSSEC. When a zone has a designated Key Master, the Key Master is responsible for the entire key signing process from key generation to storage, rollover, retirement, and deletion.
Although key signing and management tasks can only be initiated from the Key Master, other primary DNS servers can continue to use zone signing—they just do so via the Key Master. You must choose a key master when you sign a zone with DNSSEC. You can transfer the key master role to another DNS server that hosts the zone at any time.
Additionally, keep the following in mind:
§ For file-backed zones, the primary server and all secondary servers hosting the zone must be a Windows Server 2008 R2 or later DNS server or a DNSSEC-aware server that is running an operating system other than Windows.
§ For Active Directory–integrated zones, every domain controller that is a DNS server in the domain must be running Windows Server 2008 R2 or later if the signed zone is set to replicate to all DNS servers in the domain. Every domain controller that is a DNS server in the forest must be running Windows Server 2008 R2 or later if the signed zone is set to replicate to all DNS servers in the forest.
§ For mixed environments, all servers that are authoritative for a DNSSEC-signed zone must be DNSSEC-aware servers. DNSSEC-aware Windows clients that request DNSSEC data and validation must be configured to issue DNS queries to a DNSSEC-aware server. Non-DNSSEC-aware Windows clients can be configured to issue DNS queries to DNSSEC-aware servers. DNSSEC-aware servers can be configured to recursively send queries to a non-DNSSEC-aware DNS server.
Securing DNS zones with digital signatures is a multistep process. As part of that process, you need to designate a key master. Any authoritative server that hosts a primary copy of a zone can act as the key master. Next, you need to generate a Key Signing Key and a Zone Signing Key. A Key Signing Key (KSK) that is an authentication key has a private key and a public key associated with it. The private key is used for signing all of the DNSKEY records at the root of the zone. The public key is used as a trust anchor for validating DNS responses. A Zone Signing Key (ZSK) is used for signing zone records.
After you generate keys, you create resource records for authenticated denial of existence by using either the more secure NSEC3 standard or the less secure NSEC standard. Because trust anchors are used to validate DNS responses, you also need to specify how trust anchors are updated and distributed. Typically, you’ll want to automatically update and distribute trust anchors. By default, records are signed with SHA-1 and SHA-256 encryption. You can select other encryption algorithms as well.
You don’t need to go through the configuration process each time you sign a zone. The signing keys and other signing parameters are available for reuse.
To sign a zone while customizing the signing parameters, follow these steps:
1. In the DNS Manager console, press and hold or right-click the zone you want to secure. On the shortcut menu, select DNSSEC, and then select Sign The Zone. This starts the Zone Signing Wizard. If the wizard displays a welcome page, read the Welcome text, and then tap or click Next.
2. On the Signing Options page, select Customize Zone Signing Parameters, and then tap or click Next.
3. Select a key master for the zone. Any authoritative server that hosts a primary copy of a zone can act as the key master. When you are ready to continue, tap or click Next twice.
4. On the Key Signing Key page, configure a KSK by tapping or clicking Add, accepting or changing the default values for key properties and rollover, and then tapping or clicking OK. When you are ready to continue, tap or click Next twice.
5. On the Zone Signing Key page, configure a ZSK by tapping or clicking Add, accepting or changing the default values for key properties and rollover, and then tapping or clicking OK. When you are ready to continue, tap or click Next five times.
6. After the wizard signs the zone, click Finish.
To sign a zone and use existing signing parameters, follow these steps:
1. In the DNS Manager console, press and hold or right-click the zone you want to secure. On the shortcut menu, select DNSSEC and then select Sign The Zone. This starts the Zone Signing Wizard. If the wizard displays a welcome page, read the Welcome text, and then tap or click Next.
2. On the Signing Options page, select Sign The Zone With Parameters Of An Existing Zone. Enter the name of an existing signed zone, such as cpandl.com, and then tap or click Next.
3. On the Key Master page, select a key master for the zone. Any authoritative server that hosts a primary copy of a zone can act as the key master. Tap or click Next twice.
4. After the wizard signs the zone, tap or click Finish.
Creating child domains within zones
By using the DNS Manager console, you can create child domains within a zone. For example, if you create the primary zone microsoft.com, you could create the subdomains hr.microsoft.com and mis.microsoft.com for the zone.
You create child domains by following these steps:
1. In the DNS Manager console, expand the Forward Lookup Zones folder for the server with which you want to work.
2. Press and hold or right-click the parent domain entry, and then tap or click New Domain.
3. Enter the name of the new domain, and then tap or click OK. For hr.microsoft.com, you would enter hr. For mis.microsoft.com, you would enter mis.
Creating child domains in separate zones
As your organization grows, you might want to organize the DNS namespace into separate zones. At your corporate headquarters, you could have a zone for the parent domain microsoft.com. At branch offices, you could have zones for each office, such as memphis.microsoft.com, newyork.microsoft.com, and la.microsoft.com.
You create child domains in separate zones by following these steps:
1. Install a DNS server in each child domain, and then create the necessary forward and reverse lookup zones for the child domain as described earlier in Installing DNS servers.
2. On the authoritative DNS server for the parent domain, you delegate authority to each child domain. Delegating authority enables the child domain to resolve and respond to DNS queries from computers inside and outside the local subnet.
You delegate authority to a child domain by following these steps:
1. In the DNS Manager console, expand the Forward Lookup Zones folder for the server with which you want to work.
2. Press and hold or right-click the parent domain entry, and then tap or click New Delegation to start the New Delegation Wizard. Tap or click Next.
3. As shown in Figure 9-5, enter the name of the delegated domain, such as service, and then tap or click Next. The name you enter updates the value in the Fully Qualified Domain Name text box.
Figure 9-5. Entering the name of the delegated domain sets the fully qualified domain name (FQDN).
4. Tap or click Add. This displays the New Name Server Record dialog box.
5. In the Server Fully Qualified Domain Name text box, type the fully qualified host name of a DNS server for the child domain, such as corpserver01.memphis.adatum.com, and then tap or click Resolve. The server then performs a lookup query and adds the resolved IP address to the IP Address list.
6. Repeat step 5 to specify additional name servers. The order of the entries determines which IP address is used first. Change the order as necessary by using the Up and Down buttons. When you are ready to continue, tap or click OK to close the New Name Server Record dialog box.
7. Tap or click Next, and then tap or click Finish.
Deleting a domain or subnet
Deleting a domain or subnet permanently removes it from the DNS server. To delete a domain or subnet, follow these steps:
1. In the DNS Manager console, press and hold or right-click the domain or subnet entry.
2. On the shortcut menu, tap or click Delete, and then confirm the action by tapping or clicking Yes.
3. If the domain or subnet is integrated with Active Directory, you’ll receive a warning prompt. Confirm that you want to delete the domain or subnet from Active Directory by tapping or clicking Yes.
NOTE
Deleting a domain or subnet deletes all DNS records in a zone file but doesn’t actually delete the zone file on a primary or secondary server that isn’t integrated with Active Directory. The actual zone file remains in the %SystemRoot%\System32 \Dns directory. You can delete this file after you have deleted the zones from the DNS Manager console.
Managing DNS records
After you create the necessary zone files, you can add records to the zones. Computers that need to be accessed from Active Directory and DNS domains must have DNS records. Although there are many types of DNS records, most of these record types aren’t commonly used. So rather than focus on record types you probably won’t use, let’s focus on the ones you will use:
§ A (IPv4 address). Maps a host name to an IPv4 address. When a computer has multiple adapter cards, IPv4 addresses, or both, it should have multiple address records.
§ AAAA (IPv6 address). Maps a host name to an IPv6 address. When a computer has multiple adapter cards, IPv6 addresses, or both, it should have multiple address records.
§ CNAME (canonical name). Sets an alias for a host name. For example, by using this record, zeta.microsoft.com can have an alias of www.microsoft.com.
§ MX (mail exchanger). Specifies a mail exchange server for the domain, which enables email messages to be delivered to the correct mail servers in the domain.
§ NS (name server). Specifies a name server for the domain, which enables DNS lookups within various zones. Each primary and secondary name server should be declared through this record.
§ PTR (pointer). Creates a pointer that maps an IP address to a host name for reverse lookups.
§ SOA (start of authority). Declares the host that’s the most authoritative for the zone and, as such, is the best source of DNS information for the zone. Each zone file must have an SOA record (which is created automatically when you add a zone). Also declares other information about the zone, such as the responsible person, refresh interval, retry interval, and so on.
§ SRV (service location). Locates a server providing a specific service. Active Directory uses SRV records to locate domain controllers, global catalog servers, LDAP servers, and Kerberos servers. Most SRV records are created automatically. For example, Active Directory creates an SRV record when you promote a domain controller. LDAP servers can add an SRV record to indicate they are available to hanVdle LDAP requests in a particular zone.
Adding address and pointer records
You use the A and AAAA records to map a host name to an IP address, and the PTR record creates a pointer to the host for reverse lookups. You can create address and pointer records at the same time or separately.
You create a new host entry with address and pointer records by following these steps:
1. In the DNS Manager console, expand the Forward Lookup Zones folder for the server with which you want to work.
2. Press and hold or right-click the domain you want to update, and then tap or click New Host (A Or AAAA). This opens the dialog box shown in Figure 9-6.
Figure 9-6. Create address records and pointer records simultaneously with the New Host dialog box.
3. Enter the single-part computer name, such as servicespc85, and then the IP address, such as 192.168.10.58.
4. Select the Create Associated Pointer (PTR) Record check box.
NOTE
You can create PTR records only if the corresponding reverse lookup zone is available. You can create this file by following the steps listed in Configuring reverse lookups earlier in this chapter. The Allow Any Authenticated User option is available only when a DNS server is configured on a domain controller.
5. Tap or click Add Host, and then tap or click OK. Repeat these steps as necessary to add other hosts.
6. Tap or click Done when you have finished.
Adding a PTR record later
If you need to add a PTR record later, you can do so by following these steps:
1. In the DNS Manager console, expand the Reverse Lookup Zones folder for the server with which you want to work.
2. Press and hold or right-click the subnet you want to update, and then tap or click New Pointer (PTR).
3. Type the host IP address, such as 192.168.1.95, and then enter the host name, such as servicespc54. Tap or click OK.
Adding DNS aliases with CNAME
You specify host aliases by using CNAME records. Aliases enable a single host computer to appear to be multiple host computers. For example, the host gamma.microsoft.com can be made to appear as www.microsoft.com and ftp.microsoft.com.
To create a CNAME record, follow these steps:
1. In the DNS Manager console, expand the Forward Lookup Zones folder for the server with which you want to work.
2. Press and hold or right-click the domain you want to update, and then tap or click New Alias (CNAME).
3. In the Alias Name text box, enter the alias. The alias is a single-part host name, such as www or ftp.
4. In the Fully Qualified Domain Name (FQDN) For Target Host text box, enter the full host name of the computer for which the alias is to be used.
5. Tap or click OK.
Adding mail exchange servers
MX records identify mail exchange servers for the domain. These servers are responsible for processing or forwarding email within the domain. When you create an MX record, you must specify a preference number for the mail server. A preference number is a value from 0 to 65,535 that denotes the mail server’s priority within the domain. The mail server with the lowest preference number has the highest priority and is the first to receive mail. If mail delivery fails, the mail server with the next lowest preference number is tried.
You create an MX record by following these steps:
1. In the DNS Manager console, expand the Forward Lookup Zones folder for the server with which you want to work.
2. Press and hold or right-click the domain you want to update, and then tap or click New Mail Exchanger (MX).
3. You can now create a record for the mail server by filling in these text boxes:
o Host Or Child Domain. Using a single-part name, enter the name of the subdomain for which the server specified in this record is responsible. In most cases, you will leave this box blank, which specifies that there is no subdomain and the server is responsible for the domain in which this record is created.
o Fully Qualified Domain Name (FQDN). Enter the FQDN of the domain to which this mail exchange record should apply, such as cpandl.com.
o Fully Qualified Domain Name (FQDN) Of Mail Server. Enter the FQDN of the mail server that should handle mail receipt and delivery, such as corpmail.cpandl.com. Email for the previously specified domain is routed to this mail server for delivery.
o Mail Server Priority. Enter a preference number for the host from 0 to 65,535.
NOTE
Assign preference numbers that leave room for growth. For example, use 10 for your highest priority mail server, 20 for the next, and 30 for the one after that.
REAL WORLD
You can’t enter a multipart name in the Host Or Child Domain text box. If you need to enter a multipart name, you are creating the MX record at the wrong level of the DNS hierarchy. Create or access the additional domain level, and then add an MX record at this level for the subdomain.
4. Tap or click OK.
Adding name servers
NS records specify the name servers for the domain. Each primary and secondary name server should be declared through this record. If you obtain secondary name services from an ISP, be sure to insert the appropriate NS records.
You create an NS record by following these steps:
1. In the DNS Manager console, expand the Forward Lookup Zones folder for the server with which you want to work.
2. Display the DNS records for the domain by selecting the domain folder in the tree view.
3. Press and hold or right-click an existing NS record in the view pane, and then tap or click Properties. This opens the Properties dialog box for the domain with the Name Servers tab selected, as shown in Figure 9-7.
Figure 9-7. Configure name servers for the domain through the domain’s Properties dialog box.
4. Tap or click Add. This displays the New Name Server Record dialog box.
5. In the Server Fully Qualified Domain Name text box, enter the name of a DNS server for the child domain, such as corpserver01.cpandl.com and then tap or click Resolve. The server then performs a lookup query and adds the resolved IP address to the IP Address list.
6. Repeat step 5 to specify additional name servers. The order of the entries determines which IP address is used first. Change the order as necessary by using the Up and Down buttons. When you are ready to continue, tap or click OK to close the New Name Server Record dialog box.
7. Tap or click OK to save your changes.
Viewing and updating DNS records
To view or update DNS records, follow these steps:
1. Double-tap or double-click the zone with which you want to work. Records for the zone should be displayed in the right pane.
2. Double-tap or double-click the DNS record you want to view or update. This opens the record’s Properties dialog box. Make the necessary changes, and then tap or click OK.
Updating zone properties and the SOA record
Each zone has separate properties you can configure. These properties set general zone parameters by using the SOA record, change notification, and WINS integration. In the DNS Manager console, you set zone properties by doing one of the following:
§ Press and hold or right-click the zone you want to update, and then tap or click Properties.
§ Select the zone, and then tap or click Properties on the Action menu.
The Properties dialog boxes for forward and reverse lookup zones are identical except for the WINS and WINS-R tabs. In forward lookup zones, you use the WINS tab to configure lookups for NetBIOS computer names. In reverse lookup zones, you use the WINS-R tab to configure reverse lookups for NetBIOS computer names.
Modifying the SOA record
An SOA record designates the authoritative name server for a zone and sets general zone properties, such as retry and refresh intervals. You can modify this information by following these steps:
1. In the DNS Manager console, press and hold or right-click the zone you want to update, and then tap or click Properties.
2. Tap or click the Start Of Authority (SOA) tab, and then update the text boxes shown in Figure 9-8.
Figure 9-8. In the zone’s Properties dialog box, set general properties for the zone and update the SOA record.
You use the text boxes on the Start Of Authority (SOA) tab as follows:
§ Serial Number. A serial number that indicates the version of the DNS database files. The number is updated automatically whenever you make changes to zone files. You can also update the number manually. Secondary servers use this number to determine whether the zone’s DNS records have changed. If the primary server’s serial number is larger than the secondary server’s serial number, the records have changed, and the secondary server can request the DNS records for the zone. You can also configure DNS to notify secondary servers of changes (which might speed up the update process).
§ Primary Server. The FQDN for the name server followed by a period. The period is used to terminate the name and ensure that the domain information isn’t appended to the entry.
§ Responsible Person. The email address of the person in charge of the domain. The default entry is hostmaster followed by a period followed by your domain name, meaning hostmaster@your_domain.com. If you change this entry, substitute a period in place of the @ symbol in the email address and terminate the address with a period.
§ Refresh Interval. The interval at which a secondary server checks for zone updates. The default value is 15 minutes. You reduce network traffic by increasing this value. However, keep in mind that if the interval is set to 60 minutes, NS record changes might not be propagated to a secondary server for up to an hour.
§ Retry Interval. The time the secondary server waits after a failure to download the zone database. If the interval is set to 10 minutes and a zone database transfer fails, the secondary server waits 10 minutes before requesting the zone database once more.
§ Expires After. The period of time for which zone information is valid on the secondary server. If the secondary server can’t download data from a primary server within this period, the secondary server lets the data in its cache expire and stops responding to DNS queries. Setting Expires After to seven days enables the data on a secondary server to be valid for seven days.
§ Minimum (Default) TTL. The minimum time-to-live (TTL) value for cached records on a secondary server. The value can be set in days, hours, minutes, or seconds. When this value is reached, the secondary server causes the associated record to expire and discards it. The next request for the record needs to be sent to the primary server for resolution. Set the minimum TTL to a relatively high value, such as 24 hours, to reduce traffic on the network and increase efficiency. Keep in mind that a higher value slows down the propagation of updates through the Internet.
§ TTL For This Record. The TTL value for this particular SOA record. The value is set in the format Days : Hours : Minutes : Seconds and generally should be the same as the minimum TTL for all records.
Allowing and restricting zone transfers
Zone transfers send a copy of zone information to other DNS servers. These servers can be in the same domain or in other domains. For security reasons, Windows Server 2012 R2 disables zone transfers. To enable zone transfers for secondaries you’ve configured internally or with ISPs, you need to permit zone transfers and then specify the types of servers to which zone transfers can be made.
Although you can allow zone transfers with any server, this opens the server to possible security problems. Instead of opening the floodgates, you should restrict access to zone information so that only servers you’ve identified can request updates from the zone’s primary server. This enables you to funnel requests through a select group of secondary servers, such as your ISP’s secondary name servers, and to hide the details of your internal network from the outside world.
To allow zone transfers and restrict access to the primary zone database, follow these steps:
1. In the DNS Manager console, press and hold or right-click the domain or subnet you want to update, and then tap or click Properties.
2. Tap or click the Zone Transfers tab, as shown in Figure 9-9.
Figure 9-9. Use the Zone Transfers tab to allow zone transfers to any server or to designated servers.
3. To restrict transfers to name servers listed on the Name Servers tab, select the Allow Zone Transfers check box, and then choose Only To Servers Listed On The Name Servers Tab.
4. To restrict transfers to designated servers, select the Allow Zone Transfers check box and then choose Only To The Following Servers. Then tap or click Edit as appropriate to display the Allow Zone Transfers dialog box. Tap or click in the IP Address list, enter the IP address of the secondary server for the zone, and then press Enter. Windows then attempts to validate the server. If an error occurs, make sure the server is connected to the network and that you’ve entered the correct IP address. If you want to copy zone data from other servers in case the first server isn’t available, you can add IP addresses for other servers as well. Tap or click OK.
5. Tap or click OK to save your changes.
Notifying secondaries of changes
You set properties for a zone with its SOA record. These properties control how DNS information is propagated on the network. You can also specify that the primary server should notify secondary name servers when changes are made to the zone database. To do this, follow these steps:
1. In the DNS Manager console, press and hold or right-click the domain or subnet you want to update, and then tap or click Properties.
2. On the Zone Transfers tab, tap or click Notify. This displays the Notify dialog box shown in Figure 9-10.
Figure 9-10. In the Notify dialog box, notify all secondaries listed on the Name Servers tab of the Properties dialog box or specific servers that you designate.
3. To notify secondary servers listed on the Name Servers tab, select the Automatically Notify check box, and then choose Servers Listed On The Name Servers Tab.
4. If you want to designate specific servers to notify, select the Automatically Notify check box, and then choose The Following Servers. Tap or click in the IP Address list, enter the IP address of the secondary server for the zone, and then press Enter. Windows then attempts to validate the server. If an error occurs, make sure the server is connected to the network and that you entered the correct IP address. If you want to notify other servers, add IP addresses for those servers as well.
5. Tap or click OK twice.
Setting the zone type
When you create zones, they’re designated as having a specific zone type and an Active Directory integration mode. You can change the type and integration mode at any time by following these steps:
1. In the DNS Manager console, press and hold or right-click the domain or subnet you want to update, and then tap or click Properties.
2. Under Type on the General tab, tap or click Change. In the Change Zone Type dialog box, select the new type for the zone.
3. To integrate the zone with Active Directory, select the Store The Zone In Active Directory check box.
4. To remove the zone from Active Directory, clear the Store The Zone In Active Directory check box.
5. Tap or click OK twice.
Enabling and disabling dynamic updates
Dynamic updates enable DNS clients to register and maintain their own address and pointer records. This is useful for computers dynamically configured through DHCP. By enabling dynamic updates, you make it easier for dynamically configured computers to locate one another on the network. When a zone is integrated with Active Directory, you have the option of requiring secure updates. With secure updates, you use ACLs to control which computers and users can dynamically update DNS.
You can enable and disable dynamic updates by following these steps:
1. In the DNS Manager console, press and hold or right-click the domain or subnet you want to update, and then tap or click Properties.
2. Use the following options in the Dynamic Updates list on the General tab to enable or disable dynamic updates:
o None. Disable dynamic updates.
o Nonsecure And Secure. Enable nonsecure and secure dynamic updates.
o Secure Only. Enable dynamic updates with Active Directory security. This is available only with Active Directory integration.
3. Tap or click OK.
NOTE
DNS integration settings must also be configured for DHCP. See Integrating DHCP and DNS in Chapter 8.
Managing DNS server configuration and security
You use the Server Properties dialog box to manage the general configuration of DNS servers. Through it, you can enable and disable IP addresses for the server and control access to DNS servers outside the organization. You can also configure monitoring, logging, and advanced options.
Enabling and disabling IP addresses for a DNS server
By default, multihomed DNS servers respond to DNS requests on all available network interfaces and the IP addresses they’re configured to use.
Through the DNS Manager console, you can specify that the server can answer requests only on specific IP addresses. Generally, you’ll want to ensure that a DNS server has at least one IPv4 interface and one IPv6 interface.
To specify which IP addresses are used for answering requests, follow these steps:
1. In the DNS Manager console, press and hold or right-click the server you want to configure, and then tap or click Properties.
2. On the Interfaces tab, select Only The Following IP Addresses. Select an IP address that should respond to DNS requests, or clear an IP address that should not respond to DNS requests. Only the selected IP addresses will be used for DNS. All other IP addresses on the server will be disabled for DNS.
3. Tap or click OK.
Controlling access to DNS servers outside the organization
Restricting access to zone information enables you to specify which internal and external servers can access the primary server. For external servers, this controls which servers can get in from the outside world. You can also control which DNS servers within your organization can access servers outside of your organization. To do this, you need to set up DNS forwarding within the domain.
With DNS forwarding, you configure DNS servers within the domain as one of the following:
§ Nonforwarders. Servers that must pass DNS queries they can’t resolve to designated forwarding servers. These servers essentially act like DNS clients to their forwarding servers.
§ Forwarding-only. Servers that can only cache responses and pass requests to forwarders. These are also known as caching-only DNS servers.
§ Forwarders. Servers that receive requests from nonforwarders and forwarding-only servers. Forwarders use standard DNS communication methods to resolve queries and to send responses back to other DNS servers.
§ Conditional forwarders. Servers that forward requests based on the DNS domain. Conditional forwarding is useful if your organization has multiple internal domains.
NOTE
You can’t configure the root server for a domain for forwarding (except for conditional forwarding used with internal name resolution). You can configure all other servers for forwarding.
Creating nonforwarding and forwarding-only servers
To create a nonforwarding or forwarding-only DNS server, follow these steps:
1. In the DNS Manager console, press and hold or right-click the server you want to configure, and then tap or click Properties.
2. Tap or click the Advanced tab. To configure the server as a nonforwarder, ensure that the Disable Recursion check box is cleared, tap or click OK, and then skip the remaining steps. To configure the server as a forwarding-only server, be sure that the Disable Recursion check box is selected.
3. On the Forwarders tab, tap or click Edit. This displays the Edit Forwarders dialog box.
4. Tap or click in the IP Address list, type the IP address of a forwarder for the network, and then press Enter. Windows then attempts to validate the server. If an error occurs, make sure the server is connected to the network and that you’ve entered the correct IP address. Repeat this process to specify the IP addresses of other forwarders.
5. Set the Forward Queries Time Out interval. This value controls how long the nonforwarder tries to query the current forwarder if it gets no response. When the Forward Time Out interval passes, the nonforwarder tries the next forwarder on the list. The default is three seconds. Tap or click OK.
Creating forwarding servers
Any DNS server that isn’t designated as a nonforwarder or a forwarding-only server will act as a forwarder. Thus, on the network’s designated forwarders you should be sure that the Disable Recursion option is not selected and that you haven’t configured the server to forward requests to other DNS servers in the domain.
Configuring conditional forwarding
If you have multiple internal domains, you might want to consider configuring conditional forwarding, which enables you to direct requests for specific domains to specific DNS servers for resolution. Conditional forwarding is useful if your organization has multiple internal domains and you need to resolve requests between these domains.
To configure conditional forwarding, follow these steps:
1. In the DNS Manager console, select and then press and hold or right-click the Conditional Forwarders folder for the server with which you want to work. Tap or click New Conditional Forwarder on the shortcut menu.
2. In the New Conditional Forwarder dialog box, enter the name of a domain to which queries should be forwarded, such as adatum.com.
3. Tap or click in the IP Address list, type the IP address of an authoritative DNS server in the specified domain, and then press Enter. Repeat this process to specify additional IP addresses.
4. If you’re integrating DNS with Active Directory, select the Store This Conditional Forwarder In Active Directory check box, and then choose one of the following replication strategies:
o All DNS Servers In This Forest. Choose this strategy if you want the widest replication strategy. Remember, the Active Directory forest includes all domain trees that share the directory data with the current domain.
o All DNS Servers In This Domain. Choose this strategy if you want to replicate forwarder information within the current domain and child domains of the current domain.
o All Domain Controllers In This Domain. Choose this strategy if you want to replicate forwarder information to all domain controllers within the current domain and child domains of the current domain. Although this strategy gives wider replication for forwarder information within the domain, not every domain controller is a DNS server as well (nor do you need to configure every domain controller as a DNS server).
5. Set the Forward Queries Time Out interval. This value controls how long the server tries to query the forwarder if it gets no response. When the Forward Time Out interval passes, the server tries the next authoritative server on the list. The default is five seconds. Tap or click OK.
6. Repeat this procedure to configure conditional forwarding for other domains.
Enabling and disabling event logging
By default, the DNS service tracks all events for DNS in the DNS Server event log. This log records all applicable DNS events and is accessible through the Event Viewer node in Computer Management. This means that all informational, warning, and error events are recorded. You can change the logging options by following these steps:
1. In the DNS Manager console, press and hold or right-click the server you want to configure, and then tap or click Properties.
2. Use the options on the Event Logging tab to configure DNS logging. To disable logging altogether, choose No Events.
3. Tap or click OK.
Using debug logging to track DNS activity
You typically use the DNS Server event log to track DNS activity on a server. This log records all applicable DNS events and is accessible through the Event Viewer node in Computer Management. If you’re trying to troubleshoot DNS problems, it’s sometimes useful to configure a temporary debug log to track certain types of DNS events. However, don’t forget to clear these events after you finish debugging.
To configure debugging, follow these steps:
1. In the DNS Manager console, press and hold or right-click the server you want to configure, and then tap or click Properties.
2. On the Debug Logging tab, shown in Figure 9-11, select the Log Packets For Debugging check box, and then select the check boxes for the events you want to track temporarily.
Figure 9-11. Use the Debug Logging tab to select the events you want to log.
3. In the File Path And Name text box, enter the name of the log file, such as dns.logs. Logs are stored in the %SystemRoot%\System32\Dns directory by default.
4. Tap or click OK. When finished debugging, turn off logging by clearing the Log Packets For Debugging check box.
Monitoring a DNS server
Windows Server 2012 R2 has built-in functionality for monitoring a DNS server. Monitoring is useful to ensure that DNS resolution is configured properly.
You can configure monitoring to occur manually or automatically by following these steps:
1. In the DNS Manager console, press and hold or right-click the server you want to configure, and then tap or click Properties.
2. Tap or click the Monitoring tab, shown in Figure 9-12. You can perform two types of tests. To test DNS resolution on the current server, select the A Simple Query Against This DNS Server check box. To test DNS resolution in the domain, select the A Recursive Query To Other DNS Servers check box.
Figure 9-12. Configure a DNS server for manual or automatic monitoring on the Monitoring tab.
3. You can perform a manual test by tapping or clicking Test Now. You can schedule the server for automatic monitoring by selecting th e Perform Automatic Testing At The Following Interval check box and then setting a time interval in seconds, minutes, or hours.
4. The Test Results panel shows the results of testing. You’ll receive a date and time stamp indicating when the test was performed and a result, such as Pass or Fail. Although a single failure might be the result of a temporary outage, multiple failures typically indicate a DNS resolution problem.
NOTE
If all recursive query tests fail, the advanced server option Disable Recursion might be selected. Tap or click the Advanced tab and check the server options.
REAL WORLD
If you’re actively troubleshooting a DNS problem, you might want to configure testing to occur every 10–15 seconds. This interval will provide a rapid succession of test results. If you’re monitoring DNS for problems as part of your daily administrative duties, you’ll want a longer time interval, such as two or three hours.