Installing and Configuring DNS

Installing the DNS Server Service

There are a number of methods which you can use to install the DNS server service on your Windows 2000 or Windows Server 2003 computer:

Install the DNS server service on a stand-alone computer using the Add or Remove Program applet of Control Panel.
Install DNS when you install the first domain controller for an Active Directory domain.
Install DNS on an existing domain controller in an Active Directory domain.

Before installing the DNS server service, it is recommended that you perform the following administrative tasks:

Configure a static IP address for the computer
Configure a static domain name for the computer.

How to configure a static domain name for the computer

Click Start, Control Panel, and then click Network Connections.
Select Local Area Connection and then click Properties.
In the Local Area Connections dialog box, select Internet Protocol (TCP/IP), and then click Properties.
When the Internet Protocol (TCP/IP) dialog box opens, click Advanced.
The Advanced TCP/IP Settings dialog box opens.
Click the DNS tab.
Ensure that this server's address, for which DNS is to be installed, is displayed first in the DNS Server Addresses: In Order Of Use: list.
In the DNS Suffix For This Connection: box, enter the primary DNS domain name.
Click OK.

How to install the DNS server service on a stand-alone computer

Open Control Panel
Double-click Add/Remove Programs, and then click Add/Remove Windows Components.
The Windows Components Wizard starts.
Click Networking Services, and then click Details.
In the Networking Services dialog box, select the checkbox for Domain Name System (DNS) in the list.
Click OK. Click Next. Click Finish.

How to create a forward lookup zone

If you want the DNS server to be authoritative for a zone, you have to create and configure a forward lookup zone. A forward lookup zone contains DNS domain zones that are hosted on the DNS server. The DNS server will then be able to resolve a host name to an IP address.

Click Start, Administrative Tools, and then click DNS to open the DNS console.
In the console tree, right-click the DNS server, and then click New Zone from the shortcut menu.
On the Welcome to the New Zone Wizard, click Next.
On the Zone Type page, select the default option, Primary Zone, for the zone type and then click Next.
On the Forward Or Reverse Lookup Zone page, select the Forward lookup zone option, and click Next.
Enter a zone name for the new zone on the Zone Name page. Click Next.
On the Zone File page, accept the default setting: Create A New File With This File Name, and then click Next.
On the Dynamic Update page, select the Allow both nonsecure and secure dynamic updates option. Click Next.
Click Finish to add the new forward lookup zone to the DNS server.

How to add DNS resource records to a DNS zone

The DNS database contains resource records (entries) that are used to resolve name resolution queries sent to the DNS server. Each DNS server contains the resource records (RRs) it needs to respond to name resolution queries for the portion of the DNS namespace for which it is authoritative. While resource records can be configured to be dynamically registered with the DNS server, you can also manually add DNS resource records.

There are various resource records that contain different information or data. The standard DNS record types are:

Host (A) resource record: The host (A) resource ties the domain names of computers (FQDNs) or hosts names to their associated IP addresses. The methods which are used to add host (A) resource records to zones are:

Manually add these records, using the DNS management console.
You can use the Dnscmd tool at the command line to add host (A) resource records.

Alias (CNAME) resource record: CNAME resource records ties an alias name to its associated domain name. Alias (CNAME) resource records are referred to as canonical names.
Mail exchanger (MX) resource record: This record provides routing for messages to mail servers and backup servers. The mail MX resource record provides information on which mail servers processes e-mail for the particular domain name. E-mail applications therefore mostly utilize MX resource records.
Pointer (PTR) resource record: These records point to a different resource record, and is used for reverse lookups to point to A resource records. Reverse lookups resolve IP addresses to host names or FQDNs. You can add PTR resource records to zones through the following methods:

Use the DNS management console to manually add these records.
You can use the Dnscmd tool at the command line to add these records as well.

Service (SRV) resource record: A SRV record associates the location of a service such as a domain controller or global catalog server; with details on how the particular service can be contacted.

To manually add a Host (A) resource record

Click Start, Administrative Tools, and then click DNS to open the DNS console.
In the console tree, expand the Forward Lookup Zones folder and then select the zone that you want to add resource records to.
From the Action menu, select the resource record type that you want to add to the zone. The options are: New Host (A), New Alias (CNAME), New Mail Exchanger (MX), and Other New Records.
Select the New Host (A) option.
The New Host dialog box opens.
In the Name (Use Parent Domain Name If Blank) textbox, enter the name of the new host.
When you specify the name of the new host, the resulting FQDN is displayed in the Fully qualified domain name (FQDN) textbox.
In the IP Address box, enter the address for the host.
If you want to create an associated pointer (PTR) record, enable the checkbox.
Click the Add Host button.
The new host (A) resource record is added to the particular zone.
A message box is displayed, verifying that the new host (A) resource record was successfully created for the zone.
Click OK.

How to configure a stub zone

Click Start, Administrative Tools, and then click DNS to open the DNS console.
Expand the Forward Lookup Zones folder.
Select the Forward Lookup Zones folder, and then select New Zone from the Action menu.
The New Zone Wizard initiates.
On the initial page of the Wizard, click Next.
On the Zone Type page, select the Stub Zone option.
Uncheck the Store The Zone In Active Directory (Available Only If DNS Server Is A Domain Controller) checkbox. Click Next.
On the Zone Name page, enter the name for the new stub zone in the Zone Name textbox, and then click Next.
Accept the default setting on the Zone file page. Click Next.
On the Master DNS Servers page, enter the IP address of the master server in the Address text box. Click Next.
On the Completing The New Zone Wizard page, click Finish.

How to create a reverse lookup zone

Click Start, Administrative Tools, and then click DNS to open the DNS console.
In the console tree, right-click the DNS server, and then click New Zone from the shortcut menu.
On the Welcome to the New Zone Wizard, click Next.
On the Zone Type page, select the default option, Primary Zone, for the zone type and then click Next.
On the Forward Or Reverse Lookup Zone page, select the Reverse lookup zone option, and click Next.
Enter the IP network for the domain name in the Network ID field and then click Next.
On the Zone File page, accept the default setting: Create A New File With This File Name, and then click Next.
On the Dynamic Update page, select the Allow both nonsecure and secure dynamic updates option. Click Next.
Click Finish to create the new reverse lookup zone.

Configuring a DNS Server

When DNS is installed, and you do not add or configure any zones for the DNS server, the DNS server functions as a caching-only DNS server by default. Caching-only DNS servers do not host zones, and are not authoritative for any DNS domain. The information stored by caching-only DNS servers is the name resolution data that the server has collected through resolving name resolution queries.

The DNS console is the management tool used to configure properties for DNS servers and DNS zones. To access the DNS console; click Start, click Administrative Tools, and then click DNS. If you installed DNS on a stand-one computer through the Add or Remove Program applet of Control Panel, the DNS console contains only the following folders in the console tree:

Event Viewer; contains the shortcut to the DNS Event Viewer log that is automatically installed when you install DNS. The DNS Event Viewer log contains DNS specific events:

Errors
Warning

Forward Lookup Zones; contains the forward lookup domain zones that are configured on this DNS server.
Reverse Lookup Zones; contains the reverse lookup domain zones that are configured on this DNS server.

After creating the DNS zones and adding resource records to these zones, the following task you need to perform is to configure the DNS server's properties. You configure the DNS server by configuring two separate configuration settings:

DNS Server configuration settings: These settings impact each zone hosted on a specific DNS server.
DNS Zone configuration settings: These settings are only relevant for the specific zone which you are configuring.

Configuring DNS Server Properties

You can configure a number of settings for the DNS server through its properties dialog box. To access the Properties of a DNS server;

Click Start, Administrative Tools, and then click DNS.
In the console tree, right-click the DNS server that you want to configure, and then select Properties to open the DNS Server's Properties dialog box.
The DNS Server's Properties contains a number of tabs that you can use to configure settings for all zones hosted on the DNS server.

Interfaces tab
The Interfaces tab is the location where you to specify what Network Interface Cards (NIC) and associated IP addresses, the DNS server should listen to for DNS queries. The DNS server by default listens for DNS requests on the IP addresses that are associated with the local computer.
If you want to limit the number of IP addresses that the DNS server listens to for DNS queries, click the Only the following IP addresses option, and specify the IP addresses the DNS server should listen to in the IP Address field. Click the Add button.

Forwarders tab
DNS forwarders are the DNS servers used to forward queries for different DNS namespace to those DNS servers who can answer the query. A DNS server is configured as a DNS forwarder when you configure the other DNS servers to direct any unresolved queries to a specific DNS server. Creating DNS forwarders can improve name resolution efficiency. Windows Server 2003 DNS introduces a new feature, called conditional forwarding. With conditional forwarding, you create conditional forwarders within your environment that will forward DNS queries based on the specific domain names being requested in the query.

DNS forwarders are configured on the Forwarders tab. You can configure one or multiple DNS forwarders. When multiple DNS forwarders are configured, the DNS forwarders are queried from the top of the list to the bottom of the list. You can also specify the time that the local DNS server should wait between querying different DNS forwarders. If you do not want the DNS server to use others means of name resolution, select the Do not use recursion for this domain checkbox.

Advanced tab
The Advanced tab enables you to configure a number of server options for your DNS server. The various server options which you can configure, and their default settings are:

Disable recursion (also disables forwarders) - off: The default setting of this option is off, which means that the DNS server uses recursion to resolve a client's query. If you enable this server option, the DNS server no longer performs recursion to resolve client queries. Instead, it provides the client with referrals
BIND secondaries - on: When enabled, the DNS server uses the slow uncompressed transfer format to transfer zone data to secondary DNS servers. This option allows for zone transfer compatibility with versions of BIND previous to 4.9.4. You can disable this option if you do not need to support versions of BIND previous to 4.9.4. When disabled, the fast transfer format is used to transfer zone data.
Fail to load if bad zone data - off: When this option is disabled, a DNS server will load all zones, even when a particular zone's database file contains errors. If you do not want the DNS server to load a zone that has errors in its zone data, enable this option.
Enable round robin - on: When this option is enabled; for DNS entries where multiple IP addresses exist for the same host name, the DNS servers can rotate the order of matching A resource records when clients query the particular host name. This server option is typically used to enable load balancing between multiple servers.
Enable netmask ordering - on: When a computer name is queried that has multiple matching host (A) resource records, this server option results in the DNS server first returning an IP address to the client which is in the subnet of the client.
Secure cache against pollution - on: When enabled, the DNS server is protected from any referrals that might pollute the DNS cache with the incorrect information. If the Secure cache against pollution option is enabled, the DNS server will only cache responses that have a name which ties to the domain that was initially queried. If the option is disabled, the DNS server will cache all responses to queries.

The Name Checking drop-down list box on the Advanced tab contains the name checking formats which you can configure the DNS server service to use and enforce. While there are four name checking methods which you can choose between, it is recommended to leave the default setting, Multibyte (UTF8), unchanged. The name checking formats in the Name Checking drop-down list box are:

Strict RFC (ANSI); this method uses strict checking of names as specified by RFC compliant naming rules. All names that do not comply are regarded as being errors.
Non RFC (ANSI); this method allows names that are not RFC compliant.
Multibyte (UTF8); this is the default name checking method used. The method allows names that use the Unicode 8-bit translation encoding.
All names: All naming formats are allowed.

The Load zone data on startup option on the Advanced tab is used to inform the DNS server service of the location from which zone data should be loaded. The options available in the Load zone data on startup drop-down list box are:

From Active Directory and registry; this is the default setting that loads zone data from Active Directory.
From registry; loads zone data from the Windows registry.
From File; loads zone data from a flat file.

The Enable automatic scavenging of stale records checkbox is not selected by default. If you want the DNS server to automatically delete stale resource records from a zone at the interval set under the Scavenging period, select the Enable Automatic Scavenging Of Stale Records checkbox.

Root Hints tab
By default, the Root Hints tab contains a copy of the information stored in the Cache.dns file. If your DNS servers are used to resolve Internet names, you do not need to modify the information on this tab. If however, you want to create your own custom root hints, then you have to delete the Internet root servers and add the correct information for your environment.

Debug Logging tab
If you need to troubleshoot the DNS server, you can use this tab to enable debug logging. You can specify a number of settings on this tab which limits the number of packets which are logged, based on the following:

Packet direction
Transport protocol
Packet content
Packet type
Filter packets by IP address.

Event Logging tab
If you want to limit the events which are written to the DNS Events log, you would need to use the Event Logging tab. The options which you can select to limit DNS event logging are:

No events
Errors only
Errors and warnings
All events

The Event Viewer folder in the DNS console is the shortcut to the DNS Event Viewer log that is automatically installed when you install DNS.

Monitoring tab
This tab allows you to test querying of the DNS server. You can choose to perform a simple query test, a recursive query test, or you can specify that the DNS server automatically performs testing at an interval that you set. The type of test you want to perform can be selected from the Select A Test Type area of the Monitoring tab. After selecting the test, simply click the Test Now button. The Test Results area of the tab displays the results of the test.

Configuring DNS Zone Properties

DNS zone settings are configured through the Properties dialog box of a specific zone. The properties dialog box of a standard primary DNS zone and a standard secondary DNS zone has the following five tabs:

General tab
Start Of Authority (SOA) tab
Name Servers tab
WINS tab
Zone Transfers tab.

The properties dialog box of an Active Directory-integrated zone has an additional tab, called the Security tab. This is the tab where you set access permissions for the specific zone:

Configure who can modify the properties of a specific zone
Configure who add dynamic updates to records for a specific zone.

To access the properties dialog box of a DNS zone,

Click Start, Administrative Tools, and then click DNS.
In the console tree, expand the DNS server node.
Expand the Forward Lookup Zones folder.
Locate and right-click the particular zone that you want to configure zone properties for, and then select Properties from the shortcut menu.
The DNS Zone Properties sheet contains a number of tabs that you can use to configure settings for the specific DNS zone.

General tab
The main zone configuration settings which you can configure on the General tab are:

Zone type
Zone file name
Dynamic updates settings
Aging settings

The buttons and fields which are used to configuration settings on the General tab are:

Zone status indicator and Pause button: The zone status indicator displays the status of the zone with regard to answering name resolution queries. You can use the associated Pause button to pause DNS name resolution. Clicking the Pause button does not however pause the DNS Server service.
Zone type indicator and Change button: The zone type indicator displays the zone type configured for the specific zone. When you click the Change button, the Change Zone Type dialog box opens. Through the Change Zone Type dialog box, you can change the zone type of an existing zone. The settings on the Change Zone Type dialog box are:

Primary Zone option: This zone type contains the configuration settings and zone data for the specific zone.
Secondary Zone option: This zone type contains a read-only copy of zone data, and cannot be directly edited.
Stub Zone option: This zone type contains the resource records that are used to identify the authoritative DNS servers for the particular zone.
Store The Zone In Active Directory checkbox: If you want the zone data to be stored in Active Directory and not in the Zones file, click the Store The Zone In Active Directory checkbox

Replication indicator and Change button: The replication indicator and its associated Change button are specific to zones that store their zone data in Active Directory. The replication indicator displays the scope of replication for the Active Directory-integrated zone. Clicking the Change button displays the Change Zone Replication Scope dialog box. The settings that you can configure to manage Active Directory DNS zone replication on the Change Zone Replication Scope dialog box are:

To All DNS Servers In The Active Directory Forest option: Zone data is replicated to all DNS servers running on domain controllers in the Active Directory forest.
To All DNS Servers In The Active Directory Domain option: Zone data is replicated to all DNS servers running on domain controllers in the Active Directory domain.
To All Domain Controllers In The Active Directory Domain option: Zone data is replicated to all domain controllers in the Active Directory domain.
To All Domain Controllers Specified In The Scope Of The Following Application Directory Partition option: Zone data is replicated based on the replication scope of the particular application directory partition.
Application Directory Partition Name drop-down list box: Choose the application directory partition.

Zone File Name field: This field is applicable for standard primary DNS servers, and secondary DNS servers that do not store zone data in Active Directory. The Zone File Name field lists the file name of the DNS zone in the %systemroot%\system32\dns directory. The default zone file name is the zone name with a .dns extension. You can change the default zone file name using the Zone File Name field.
Dynamic Updates drop-down list box: You can use the settings of the Dynamic Updates drop-down list box to configure whether Dynamic DNS updates should be supported.

An IP address is added, deleted or changed in the Transmission Control Protocol/Internet Protocol (TCP/IP) Properties dialog box.
An IP address lease is renewed or modified.
A member server is promoted to a domain controller in the DNS zone.
A DNS client computer is started.
The Ipconfig /registerdns command is run to manually start a refresh of the client name registration in DNS.

None: Dynamic Updates are not allowed for this particular zone. This means that all registrations and updates to zone resource records must be manually performed.
Nonsecure And Secure: Allows client computers to automatically create and also update its resource records. In this case both secure and nonsecure dynamic updates can occur on this zone.
Secure Only: Allows client computers to automatically create and update its own resource records. In this case only secure dynamic updates can occur on this specific zone. The Secure Only dynamic updates option is only available for Active Directory-integrated zones.

Aging button: If you want to configure aging or scavenging properties, click the Aging button on the General tab to open the Zone Aging/Scavenging Properties dialog box. With DNS, aging must be enabled for a particular zone for both the server properties and for the zone properties.

Open the DNS console.
In the console tree, right-click the DNS server node, and then select Set Aging/Scavenging For All Zones from the shortcut menu.
When the Server Aging/Scavenging Properties dialog box opens, select the Scavenge Stale Resource Records checkbox.
Click OK.

No-refresh interval: The default setting is seven days. The no-refresh interval stops the DNS server from performing unnecessary refreshes.
Refresh interval: This is the time after the No-refresh interval when timestamp refreshes are allowed. Records are not scavenged. The default setting is also seven days.

Start Of Authority (SOA) tab
The Start Of Authority (SOA) tab is the location on the Zone Properties dialog box where you can configure options or settings that are specific for the SOA resource record for the zone. The configuration settings on the Start Of Authority (SOA) tab are:

Serial Number field: This field displays the version of the SOA record for the DNS server. If you want to manually change the version number click the Increment button. The Serial Number field is also dynamically updated whenever a resource record in the particular zone is changed. The Serial Number field enables secondary DNS servers to determine when changes are made to resource records within the zone. If the serial number of the master zone is the same as the local serial number, zone transfer is not initiated by the secondary DNS servers. If the serial number of the master zone is the higher than that of the local serial number, zone transfer is initiated by the secondary DNS server.
Primary Server field: This field shows the computer name of the primary DNS server for this particular zone.
Responsible Person field: This field shows the administrator responsible for administering this specific zone.
Refresh Interval field: The field has a default setting of 15 minutes. The Refresh Interval field indicates how frequently the secondary DNS servers for this zone query the configured master server for zone updates. The secondary DNS servers request a copy of the SOA resource record for the zone when the interval expires. It then checks what the serial number of the master's SOA resource record is, and compares this value to its own SOA resource record's serial number. A zone transfer is initiated when the two values are different.
Retry Interval field: The field has a default setting of 10 minutes. The value specified in the Retry Interval field determines how long secondary DNS servers wait after a zone transfer failure before re-attempting the failed zone transfer.
Expires After field: The field has a default setting of 24 hours. The value of this field determines the time duration after which a secondary DNS server that has no contact with its configured master server discards zone data.
Minimum (Default) TTL field: The field has a default setting of one hour. The value of the Minimum (Default) TTL setting indicates the TTL for all resource records that are created in this particular zone.
TTL For This Record: The value of the TTL For This Record field indicates the TTL of this current SOA resource record.

Name Servers tab
The Name Servers tab shows all the DNS name servers which are authoritative for the zone. The list of authoritative DNS servers could include both primary DNS servers and secondary DNS servers. To change the authoritative DNS servers for the zone, click the Add, Edit, and Remove buttons at the bottom of the Name Servers tab.

WINS tab
If you want to integrate Windows Internet Naming service (WINS) and DNS, then you would use the WINS tab to configure WINS forward lookups for the zone when the DNS server cannot resolve name resolution queries.

Zone Transfers tab
The settings on the Zone Transfers tab determine whether the DNS server will accept zone transfers from the master server. The configuration settings on the Zone Transfers tab are:

Allow Zone Transfers checkbox: Determines whether the zone transfers are allowed or disallowed. The Allow Zone Transfers checkbox is disabled by default.
To Any Server option: When selected, zone transfers are allowed to any server that requests a copy of zone data.
Only To Servers Listed On The Name Servers Tab option: This setting only allows zone transfers to those DNS servers that are listed the Name Servers tab for this particular zone.
Only To The Following Servers option: This is option allows administrators to specify which DNS servers, based on IP addresses, can request zone transfers.
Notify button: If you want to configure automatic zone transfer notification triggers to the secondary DNS servers for the zone, click the Notify button at the bottom of the Zone Transfers tab. The Notify dialog box opens. This is where you configure the secondary DNS servers that should be notified when zone updates occur. Enable the Automatically Notify checkbox, and choose one of the following options:

Servers Listed On The Name Servers Tab option.
The Following Servers option, and then specify the IP addresses of the DNS servers that you want notification sent to.

How to configure a delegated DNS zone

Click Start, Administrative Tools, and then select DNS to open the DNS console.
Right-click the zone in the console tree, and then select New Delegation from the shortcut menu.
The New Delegation Wizard initiates.
Click Next on the first page of the New Delegation Wizard.
When the Delegated Domain Name page opens, provide a delegated domain name, and then click Next.
On the Name Servers page, click the Add button to add the name and IP address of the DNS server that should host the delegated zone.
On the Name Servers page, click Next. Click Finish

How to enable dynamic updates for a zone

Click Start, Administrative Tools, and the select DNS to open the DNS console.
Right-click the zone you want to work with in the console tree, and then select Properties from the shortcut menu.
When the Zone Properties dialog box opens, on the General tab, select Yes in the Allow Dynamic Updates list box.
Click OK.

How to restore DNS server default server options settings

Click Start, Administrative Tools, and then select DNS to open the DNS console.
Right-click the DNS server and then click Properties on the shortcut menu.
When the Properties dialog box of the DNS server opens, click the Advanced tab.
Click the Reset To Default button.
Click OK.

How to enable/disable fast transfer format for zone transfers

Click Start, Administrative Tools, and then select DNS to open the DNS console.
In the console tree, right-click the DNS server, and then select Properties from the shortcut menu.
When the Properties dialog box of the DNS server opens, click the Advanced tab.
In the Server Options list, select or deselect the BIND Secondaries checkbox.
Click OK.

How to disable local subnet prioritization for multihomed names

Click Start, Administrative Tools, and then select DNS to open the DNS console.
In the console tree, right-click the DNS server, and then select Properties from the shortcut menu.
When the Properties dialog box of the DNS server opens, click the Advanced tab.
In the Server Options list, deselect the Enable Netmask Ordering checkbox.
Click OK.