Previous Page
Next Page

4.5. Building a Nameserver

In this section, I'll guide you through the process of actually creating a nameserver, and then in the remainder of the chapter I'll add to the functionality of the nameserver to prepare it for use with Active Directory.

Nameservers need a constant connection to the Internet and a non-changing IP, either set statically on the server itself or delivered consistently through a DHCP reservation. The machine you're building out as a nameserver doesn't need to be that powerful; a fast Pentium III machine with 512 MB or so of RAM will be more than sufficient.

In the following examples, I will use the fictitious domain name hasselltech.net, with the also fictitious machine name colossus and IP address 192.168.0.5. You can, of course, replace these as appropriate when following along with your own computer.


The first step is to install the nameserver software onto your Windows Server 2003 computer. To do so, follow these steps:

  1. Open Add/Remove Programs inside the Control Panel.

  2. Click the Add/Remove Windows Components button on the left side of the window.

  3. Select Network Services in the list box, and then click the Details button.

  4. Check the Domain Name System (DNS) checkbox, and click OK to return to the previous screen.

  5. Click Next to proceed with the DNS software installation.

  6. Click Finish, and then Close, to finish the procedure.

If you have your computer set up to receive an IP address via DHCP, the nameserver installation will complain loudly that DNS isn't intended to work on dynamically assigned IP addresses. For this example, click OK three times to acknowledge these warnings. As mentioned previously, make sure nameservers have a consistent, unchanging IP address.


Next, point your new nameserver to itself for name resolution so that when you run tests, you're not querying your ISP's nameservers. In fact, most nameservers point to themselves, rather than to other nameservers, for name resolution. I recommend setting this through the command line using the netshcommand, like so:

netsh int ip set dns "Local Area Connection" static 192.168.0.5 primary

You can replace Local Area Connectionwith the name, as appearing in your network connection properties, of your network connection. Also, replace 192.168.0.5with the local nameserver's IP.

Of course, you also can change the nameservers to use for name resolution through the Windows interface by following these steps:

  1. Inside the Control Panel, double-click the Network Connections applet.

  2. Inside the Network Connection dialog box, right-click the name of your network connection and choose Properties from the context menu.

  3. Navigate to the General tab, and then select Internet Protocol (TCP/IP).

  4. Click the Properties button.

  5. Click the Use the following DNS server address radio button, and then enter the nameserver's IP address into the box.

  6. Click OK.

Now that the DNS server software is installed, you need to start the DNS service. Select Start, then click Administrative Tools and select DNS. The DNS Management Snap-in will appear, as shown in Figure 4-1(although it will not have all of the forest lookup zones shown in the figure).

Figure 4-1. The DNS Management Snap-in


We'll manually set up DNS later in this chapter, so ignore the message to use the Configure Your DNS Server Wizard. At this point, you have a functional nameserver, which performs "caching-only" functionsthat is, it doesn't hold any DNS information unique to itself, but it does know how to contact the 13 root servers as held by ICANN, the master of DNS on the Internet, and it can resolve Internet addresses by contacting them. Windows Server 2003's DNS software knows how to do this by default, without any configuration on your part.

4.5.1. Enabling Incremental Transfers

Windows Server 2003's DNS component is compliant with RFC 1995 and can do incremental transfers (known as IXFRs in DNS parlance) with other Windows 2000 or Windows Server 2003 servers supporting the feature. It also still can do the old-style full zone transfers, referred to as AXFRs, with noncompliant nameservers and with non-Windows 2000 or non-Windows Server 2003 machines. There is not a way to instruct Windows Server 2003 to always send full zone files to all servers, regardless of whether they are compliant. You can, however, tell Windows to send incremental zone transfers to all supporting servers, regardless of whether they run Windows 2000 or Windows Server 2003. Here's how:

  1. Open the DNS Management snap-in.

  2. Right-click your server and select Properties from the context menu.

  3. Navigate to the Advanced tab, and un check the box labeled BIND Secondaries.

  4. Click OK to finish.

Now the server will use incremental zone transfers to all supporting servers, not just to those running Windows 2000 or Windows Server 2003.

4.5.2. Creating a Forward Lookup Zone

Now, to further configure your server, let's create a forward lookup zone file. Inside the DNS snap-in, expand the server name in the lefthand pane. Then do the following:

  1. Right-click Forward Lookup Zones and select New Zone. The New Zone Wizard appears.

  2. Choose Primary Zone, and then click Next.

  3. Enter the zone name. In this example, I'll use hasselltech.net. Click Next to continue.

  4. Enter a name for the new zone file, which is stored in ASCII format. The default name is your domain with .dns appended to the endhasselltech.net.dns, for example. The zone files are stored in %SystemRoot%\system32\dns. Click Next.

  5. On the Dynamic Update screen, choose to allow both insecure and secure dynamic updates. I'll discuss dynamic DNS updating in a later section. Click Next.

  6. Click Finish to complete the zone creation process.

The hasselltech.net zone has now been created.

4.5.3. Entering A Records into a Zone

Inside the DNS snap-in, right-click the hasselltech.net node in the lefthand pane and choose New Host (A) from the context menu. The New Host dialog box appears, as shown in Figure 4-2.

Figure 4-2. Entering a new A record


Enter the hostname of the machine for which you're entering the record, and then enter the IP address of the machine. As you enter the hostname, the fully qualified domain name (FQDN) will adjust to show the full hostname, including the domain, to check your work. You also can check the Create associated pointer (PTR) record checkbox, which enters a PTR record into the reverse lookup zone, if one is currently configured. (If none is set up, the process will throw an error.) Click OK.

4.5.4. Controlling Round-Robin Balancing

You can enable or disable round-robin DNS balancing using the nameserver's Advanced Properties screen, which you'll find by right-clicking the nameserver name in the DNS Management snap-in's lefthand pane and selecting Properties from the context menu. Figure 4-3 shows this screen, on the Advanced tab of the Properties sheet.

Figure 4-3. Advanced properties of a DNS server


Check Enable round robin in the Server options box to enable round robin, and uncheck it to disable it.

DNS round-robin functionality is enabled on a per-server level, not on a per-zone level.


Also, if you want to turn off the subnet mask ordering feature, on the Advanced Properties screen shown in Figure 4-3uncheck Enable netmask ordering in the Server options box.

4.5.5. Entering and Editing SOA Records

A default SOA record is created when you create a new zone in Windows Server 2003. To modify an SOA record, double-click it in the DNS Management snap-in. The screen will look something like Figure 4-4.

Figure 4-4. SOA record properties for a zone


Here are descriptions of the various fields on this tab:


Serial number

The serial number indicates whether the SOA record has changed since the last update on the part of a nonauthoritative nameserver. If you want to change this number, click the Increment button; you can't simply edit the field.


Primary server

This field denotes the primary, authoritative nameserver for this zone.


Responsible person

This field indicates the administrator responsible for configuring and editing this zone. This is the administrator's email address, but with a period in place of the normal at sign (@) and a period appended to the end of the string. For example, if your administrator is hostmaster@hasselltech.net, in this field you would enter hostmaster.hasselltech.net.


Refresh interval

The refresh interval indicates to secondary nameservers how long they can keep their copies of the zones before being required to request a refresh.


Retry interval

The retry interval indicates how long the secondary nameserver must wait before attempting to contact the authoritative nameserver again after a failed attempt to refresh its zone after the refresh interval has lapsed.


Expires after

This value essentially indicates how long a zone file is valid for use in production environments. It dictates how long a secondary nameserver will continue attempting a zone transfer from its primary nameserver. When this expiration date is reached, the zone on the secondary nameserver expires and that server stops responding to queries.


Minimum (default) TTL

This value indicates to other nameservers how long they can use information they've previously retrieved from this nameserver before being required to consult the authoritative server again for updated or refreshed information. This is, by default, 60 minutes. You also can set TTL values for individual records that override this minimum default setting for a zone.


TTL for this record

This value overrides the minimum (default) TTL as described earlier and is limited to only this SOA record.

4.5.6. Creating and Editing NS Records

NS records, as you learned earlier in this chapter, link the hostnames of nameservers to their IP addresses. To create these records, inside the DNS Management snap-in right-click the zone file in question and select Properties. Then, select the Name Servers tab. You'll be greeted with the screen shown in Figure 4-5.

The primary NS record is displayed, as it was created by default when you first constructed the zone. Click the Add button to insert a new NS recordfor example, for a secondary nameserver. In the box that appears, type in the new machine's fully qualified domain name and click the Resolve button. Windows Server 2003 uses a reverse lookup to determine the IP address of the hostname you entered. If you agree with its finding, click the Add button beside the IP address and the NS record will be entered. Click OK twice to close.

4.5.7. Creating and Editing CNAME Records

Recall that CNAME records map different hostnames to preexisting A records, allowing multiple DNS names for a host. To create these records, right-click the hasselltech.net node in the lefthand pane of the DNS Management snap-in and choose New Alias (CNAME) from the context menu. The New Resource Record dialog box appears, as shown in Figure 4-6.

Figure 4-5. Editing NS records for a zone


Figure 4-6. Entering a new CNAME record


Enter the aliased name of the machine for which you're entering the record (this is the canonical name), and then enter the fully qualified domain name of the host you're aliasing. As you enter the CNAME, the fully qualified domain name field just below will adjust to show the full hostname, including the domain, to check your work.

Click OK to finish.

4.5.8. Creating and Editing MX Records

As you'll remember from earlier in this chapter, MX records dictate how mail is delivered to a specific DNS zone. To create these records, inside the DNS snap-in right-click the hasselltech.net node in the lefthand pane and choose New Mail Exchanger (MX) from the context menu. The New Resource Record dialog box appears, as shown in Figure 4-7.

Figure 4-7. Entering a new MX record


Enter the name of the domain or zone for which you're entering the record, and then enter the fully qualified domain name of the host to which mail for that domain or zone should be delivered. As you enter the CNAME, the fully qualified domain name field just below will adjust to show the full hostname, including the domain, to check your work. Finally, in the Mail server priority box, type the MX preference number that should apply to this record.

Click OK to close.

4.5.9. Generating a Reverse Lookup Zone

You learned earlier in this chapter that reverse lookup zones map IP addresses to their corresponding hostnames. To create these records, inside the DNS Management snap-in, right-click the Reverse Lookup Zones folder and choose New Zone from the context menu. You'll be presented with the New Zone Wizard. Click Next to bypass the introductory screen and you'll see Figure 4-8. Then follow these steps:

  1. Choose Primary zone, and click Next.

  2. Enter the network numbers for your network in the Network ID fieldfor example, 192.168.0.0and then click Next.

  3. The Dynamic Updates page appears. Select to allow both insecure and secure updates, and then click Next.

  4. Click Finish to complete the wizard.

Figure 4-8. Creating a new reverse lookup zone


Your reverse lookup zone has been created.

4.5.10. Creating and Editing PTR Records

Remember that PTR records map IP addresses to their hostnames and are vital within a reverse lookup zone. To create these records, right-click the appropriate reverse lookup zone within the DNS Management snap-in and select New Pointer (PTR) from the context menu. The New Resource Record dialog box will appear, as shown in Figure 4-9.

Figure 4-9. Entering a new PTR record


On this screen, all you need to do is enter the last dotted quad of a specific IP address, and then enter the hostname to which that address should refer. The FQDN for the reverse lookup record will fill in automatically.

Click OK to finish.

4.5.11. Configuring a Secondary Nameserver

In this section, I'll cover creating a secondary nameserver to serve a zone. Some preliminary steps are in order, though: first, the machine should be running Windows Server 2003, and it should have the DNS service installed, as I mentioned before. The machine's network connection should be configured so that its preferred nameserver is itself. (Also, for the purposes of this section, the secondary nameserver will be called ns2.hasselltech.net at IP address 192.168.0.6.)

To proceed:

  1. Open the DNS Management MMC snap-in.

  2. Right-click Forward Lookup Zones and select New Zone from the context menu. The New Zone Wizard will appear; click Next to skip the introductory screen.

  3. Choose Secondary to create a secondary lookup zone, which will indicate to Windows that this should be a secondary nameserver. Click Next.

  4. Enter the name of an existing zone on the Zone Name screen, and click Next.

  5. Specify the nameservers from which Windows can fetch the existing zone files. Simply enter the primary nameserver in the box, click Add, and then click Next, as shown in Figure 4-10.

  6. Click Finish to create the zone.

Figure 4-10. Specifying a primary DNS server for a secondary DNS zone


4.5.12. Upgrading a Secondary Nameserver to Primary

Perhaps you decide, upon acquiring a new business into your organization, that you need more horsepower in responding to DNS queries. Or perhaps eventually you'd like to cluster your DNS servers. In these cases, you would want to promote some secondary nameservers to primary status. It's an easy process to promote an existing secondary nameserver to a primary nameserver.

  1. Open the DNS Management snap-in.

  2. Right-click the zone folder that you want to convert, and select Properties from the context menu.

  3. Navigate to the General tab, as shown in Figure 4-11.

    Figure 4-11. Promoting a DNS server

  4. To the right of the Type entryit should now say either Primary or Secondaryclick the Change button. The Change Zone Type screen will appear, as shown in Figure 4-12.

    Figure 4-12. Changing a server from primary to secondary

  5. Click the Primary zone radio button to perform the promotion.

  6. Click OK.

The server will now be a primary server for that zone.

4.5.13. Manually Editing Zone Files

All zone files are stored in %SystemRoot%\system32\dns. The files are stored in the format <domain>.dns (e.g., hasselltech.net.dns). You can edit them with your favorite text editor or with a script that you can write to perform large-scale and/or automated machine rollouts.

When you directly edit zone files, make sure you manually increment the serial number value in the zone's SOA record. You can increment by any value. Otherwise, the changes are likely to be missed by any secondary nameservers during a zone transfer.


4.5.14. Controlling the Zone Transfer Process

For obvious reasons, you'll find it necessary to control which machines can perform a zone transfer from nameserversafter all, users at large on the Internet have no legitimate need to retrieve a full copy of your zones, and having a full record of your connected machines is a huge security breach. Unfortunately, Microsoft didn't lock down this process, so by default your Windows Server 2003 nameserver will transfer its zone files to any machine upon request. This is locked down, however, in Service Pack 1.

To lock this down, open the DNS Management snap-in and expand the nameserver's name. Find a zone under Forward Lookup Zones, right-click it, and choose Properties. Click over to the Zone Transfers tab. You'll see the screen depicted in Figure 4-13.

You see that you can disallow zone transfers wholesale by unchecking the box labeled Allow zone transfers. However, if you choose to enable them to have secondary nameservers, you can lock down the access to those zone files a bit more granularly. The first option, To any server, leaves the transfer process wide openthis is the default setting on machines that haven't been upgraded to Service Pack 1. The second option, Only to servers listed on the Name Servers tab, seems to be the most reasonable option by restricting transfer to the servers identified as authoritative for the domain on that tab. The third option, Only to the following servers, can lock down that list even further. Simply select the option, enter an IP address into the box, and click Add when you're done. Make the list as long or short as it needs to be, and then finish the process by clicking OK.

Figure 4-13. Controlling zone transfers


Windows Server 2003 also supports a feature listed in RFC 1996 known as zone modification notification, which nearly contradicts what I wrote earlier about the zone transfer process being primarily a pull, rather than a push, process. Click the Notify button on the Zone Transfer tab to explore this feature; you'll be greeted with the screen in Figure 4-14.

The notification feature will contact the servers listed on this Notify screen when changes are made to the zone file on the primary nameserver. You can have the server contact the authoritative nameservers for a zone or domain as listed on the Name Servers tab, or contact only the servers in the list that you create on this screen. (To create this list, simply enter an IP address and click Add. Repeat as necessary to build the list.) Click OK when you've configured or disabled this feature as you wish.

Figure 4-14. Notify dialog screen



Previous Page
Next Page