Managing DNS
After DNS is installed, it can be managed using the DNS management console. Management tasks include configuring zone settings, creating and managing resource records, and monitoring the status and performance of DNS. The following sections discuss some of the common management tasks associated with DNS.
Managing DNS Zone Settings
After a zone has been successfully added to your DNS server, you can configure it via the zone's Properties dialog box. To do so, right-click the zone from within the DNS management console and click Properties. The Properties dialog box for the zone displays six tabs, as shown in Figure 3.7. If Active Directory is not installed, only five tabs are available (the Security tab is not present).
Figure 3.7 You can configure a zone through its Properties dialog box.The following list summarizes each of the tabs for a DNS zone's properties:
GeneralView the status of the zone, change the type of zone, change the zone filename, change the replication scope for a zone, and configure dynamic updates. You can also set the aging and scavenging properties for the zone.
Start of Authority (SOA)Configure the zone transfer information and the email address of the zone administrator. The serial number is used to determine whether a zone transfer is required. Each time a change is made this number is incremented by 1. By using the Increment button, you can increase the value, thereby forcing a zone transfer.
Name ServersSpecify the list of secondary servers that should be notified when changes to the zone file occur.
WINSEnable the DNS server to query the list of WINS servers for name resolution.
Zone TransfersConfigure which secondary servers can receive zone transfers. You can specify any server, only those listed on the Name Servers tab, or the ones configured from this property sheet. Clicking the Notify button enables you to configure which secondary servers will be notified of changes.
SecurityIf the zone is Active Directory integrated, the Security tab is available and can be used to configure permissions to the zone file. This is where you can control who can perform dynamic updates.
Changing Zone Types
Using the General tab from the Zone Properties dialog box, you can change the current zone type (see Figure 3.8). To do so, click the Change button beside the zone type. You have the option of changing a primary or secondary zone to an Active Directoryintegrated zone or changing an Active Directoryintegrated zone to a primary zone or secondary zone.
Before you attempt to change the zone type, be aware of the following points:
The option to store zone information within Active Directory is available only when the DNS server is also configured as a domain controller.
If you convert to a secondary zone or a stub zone, you must specify the IP address of the server from which the zone information will be retrieved.
Changing a secondary zone to a primary zone affects such things as dynamic updates, the use of the DNS Notify option, and zone transfers.
When the option to store information within Active Directory is cleared, zone information is deleted from Active Directory and copied into a text file on the local DNS server in the %systemeroot%/system32/DNS folder.
Because the purpose of a stub zone is to maintain information about only authoritative name servers for the zone, it is not recommended that a stub zone be converted to a primary zone because primary zones can contain a number of other records rather than just those for authoritative name servers.
Figure 3.8 You can change the zone type via a zone's Properties dialog box.
Dynamic Updates
Windows 2003 Server, Windows XP, and Windows 2000 clients can interact directly with a DNS server. With dynamic updates, clients can automatically register their own resource records with a DNS server and update them as changes occur. Resource records are the entries within the DNS server database files. Each resource record contains information about a specific machine, such as the IP address or specific network services running. The type of information within a resource record depends upon the type of resource record that is created. For example, an A (address) record contains the IP address associated with a specific computer; it's used to map a hostname to an IP address.
Dynamic updates greatly reduce the administration associated with maintaining resource records. Dynamic updates eliminate the need for administrators to manually update these records. In terms of DHCP, with a short lease duration configured, the IP address assigned to DNS clients can change frequently. If dynamic updates are not enabled, an administrator can end up spending a lot of time updating zone information. In addition, there is always the chance for human error when done manually.
Dynamic updates provide the following advantages:
DHCP servers can dynamically register records for clients. This is particularly important because DHCP servers can perform updates on behalf of clients that do not support dynamic updates, such as Windows 95, 98, or NT4 clients.
The administrative overhead is reduced because A records and PTR records can be dynamically updated by Windows DNS clients that support this option.
The SRV records required to locate domain controllers can be dynamically registered.
CAUTION
To implement dynamic updates on a network with preWindows 2000 clients, a DHCP server and a DNS server are required on the network. The DHCP and DNS servers must be running Windows Server 2003 or Windows 2000 because Windows NT 4.0 DNS servers don't support dynamic updates. A DHCP server is required to perform dynamic updates on behalf of clients that do not support this feature, such as Windows 95 clients.
By default, any Windows Server 2003, Windows XP, or Windows 2000 client can update its own records with the DNS server. The DHCP client service attempts to update records with the DNS server when any of the following events occur:
The workstation is rebooted.
The client records are manually refreshed using the ipconfig /registerDNS command.
A statically configured IP address is modified.
The IP address leased from a DHCP server changes or is renewed. An IP address can be manually renewed using the ipconfig /renew option.
Let's take a look at an example of what happens when a Windows XP DNS client performs a dynamic update. Assume that you change a bayside.net workstation's computer name from computer1 to computer2. Upon changing the computer name, you are required to restart before the changes take effect. When the workstation restarts, the following process occurs:
The DHCP client service sends a query to an authoritative DNS server for the domain using the new DNS domain name of the workstation.
The DNS server that is authoritative for the workstation's domain responds to the request with information about the primary DNS server for the domain.
The client sends a dynamic update request to the primary DNS server.
The update request is processed by the primary DNS server. The old host and pointer records are removed and replaced with the updated ones.
The master name server randomly notifies any secondary servers that a change to the zone file has occurred.
Secondary servers request the zone transfer update to the zone file according to the frequency configured on the zone's Start of Authority tab.
Dynamic updates are configured on a per-zone basis. To configure a zone for dynamic update, right-click the zone within the DNS management console and click Properties. In the Properties dialog box, ensure that the General tab is selected. To enable dynamic updates, select one of the following options:
NoneSelect this option to disable dynamic updates for the zone. Doing so means that the zone file must be manually updated.
Nonsecure and SecureSelect this option to allow nonsecure updates (anyone can perform the update) as well as secure updates (only certain users can perform the update).
Secure OnlySelect this option to enable dynamic updates for those users and groups authorized to do so because they have accounts in Active Directory and have been granted permission to update their records. This option is available only for zones that store information within Active Directory. You can use the Security tab from the zone's Properties window to configure who can perform dynamic updates.
CAUTION
When configuring dynamic updates, remember that the zone must be standard primary (information is stored locally in files) or Active Directory integrated (information is stored on all DCs). Also, to use secure updates, the zone must be Active Directory integrated. This feature is not supported by standard primary zones.
Secure Updates
Windows Server 2003 supports secure dynamic updates for zones that store information within Active Directory. With secure updates, only those clients authorized within the domain are permitted to update resource records. This means that the DNS server accepts updates only from clients that have accounts within Active Directory. Any computers that do not have accounts are not permitted to register any records, thereby eliminating the chance that unknown computers will register with the DNS server. Secure updates for a zone can be configured by selecting the Secure Only option.
The benefit of selecting this option is obviously an increase in security. The resource records and zone files can be modified only by users who have been authorized to do so. This also provides administrators with a finer granularity of control because they can edit the access control list (ACL) for the zone and specify which users and groups can perform dynamic updates. You edit the ACL for a zone by right-clicking the zone, selecting Properties, and choosing the Security tab.
Zone Transfers
Secondary servers get their zone information from a master name server. The master name server is the source of the zone file; it can be a primary server or another secondary server. If the master name server is a secondary server, it must first get the updated zone file from the primary server. The process of replicating a zone file to a secondary server is referred to as a zone transfer. Zone transfers occur between a secondary server and a master name server in the following situations:
When the master name server notifies the secondary server that changes have been made to the zone file. When the secondary server receives notification, it requests a zone transfer. If multiple secondary servers exist, they are notified at random so that the master name server is not overburdened with zone transfer requests.
When the refresh interval expires and the secondary server contacts the primary name server to check for changes to the zone file.
When the DNS server service is started on a secondary server.
When a zone transfer is manually initiated through the DNS management console on a secondary server.
Windows Server 2003 DNS (as well as Windows 2000 DNS) supports two types of zone transfers. PreWindows 2000 implementations of DNS supported a full zone transfer (AXFR) only, in which the entire zone file is replicated to the secondary server. This type of zone transfer is supported by most implementations of DNS. If the secondary server's zone file is not current, which means that changes were made, the entire zone file is replicated. The second type of zone transfer is known as an incremental zone transfer (IXFR), in which only the changes made to a zone file are replicated to the secondary server, thereby reducing the amount of network traffic. Frequency of zone transfers is configured on the Start of Authority tab.
The following list summarizes the configurable options for zone transfers:
Serial NumberLists the number used to determine whether the zone file has changed. Each time a change is made, this number is incremented by 1. You can force a zone transfer by manually increasing this number.
Primary ServerLists the hostname of the primary DNS server for the zone.
Responsible PersonLists the e-mail address of the person responsible for administering the zone.
Refresh IntervalDetermines how often the secondary server polls the primary server for updates. Consider increasing this value for slow network connections.
Retry IntervalSpecifies how often the secondary server attempts to contact the primary server if the server does not respond.
Expires AfterSpecifies when zone file information should expire if the secondary server fails to refresh the information. If a zone expires, zone data is considered to be potentially outdated and is discarded. Secondary master servers do not use zone data from an expired zone.
Minimum (Default) TTLSpecifies how long records from the zone should be cached on other servers.
TTL for this RecordSpecifies how long DNS servers are allowed to store a record from the zone in their cache before it expires.
NOTE
When zone information is stored within Active Directory, zone updates are replicated differently than in a standard primary/secondary scenario. DNS notification is no longer needed, and configuring a notify list is unnecessary. Instead, the DNS servers that store information within Active Directory poll Active Directory at 15-minute intervals to check for updates.
Zone Delegation
Delegation is the process of designating a portion of the DNS namespace for another zone. It gives administrators a way of dividing a namespace among multiple zones. For example, an administrator might place the bayside.net domain in one zone and place the sales.bayside.net subdomain in another delegated zone. The bayside.net zone would contain all the records for the sales subdomain if it is not delegated. Through delegating, the bayside.net zone contains only information for bayside.net, as well as records to the authoritative name servers for the sales.bayside.net zone. The host entries for any machines in sales.bayside.net are contained only on the delegated server.
In any case, when deciding whether to delegate, keep the following points in mind:
Zone delegation allows you to delegate management of part of the DNS namespace to other departments or locations.
Zone delegation allows you to distribute a large DNS database across multiple servers for load balancing, faster name resolution, and increased performance.
Zone delegation allows you to extend the namespace for business expansion, that is, it is scalable with business needs.
NOTE
To facilitate the delegation of zones, you need the appropriate delegation records that point to authoritative name servers for the new zone(s).
You can use the following procedure to delegate a zone:
From within the DNS management console, right-click the domain you want to delegate and select New Delegation. The New Delegation Wizard opens. Click Next.
Type a name for the delegated domain in the Delegated Domain text box. Click Next.
Specify the name servers that will host the delegated domain by clicking the Add button. The New Resource Record screen appears, allowing you to specify the name and IP address of the name servers. Click OK. Click Next.
Click Finish.
Managing DNS Record Settings
After resource records have been created, they can be managed through the management console. Tasks associated with resource records include modifying the resource records, deleting existing records, and configuring security.
Modifying Resource Records
If you have manually created resource records within a zone, at some point you might need to modify them, such as change the IP address associated with a particular hostname. This won't be an issue if you are using dynamic updates because DNS clients (running the appropriate platform) can update this information on their own.
You can modify a resource record within the DNS management console by selecting the appropriate zone, right-clicking the resource record, and clicking Properties (see Figure 3.9). For example, you can change the hostname, domain name, and IP address of a Host (A) record.
Figure 3.9 You can modify the properties of a resource record through the management console.
Deleting Resource Records
You can delete resource records within a zone file at any time. For example, if you manually create resource records for a server and remove it from the network, you will want to delete the records from the zone file. Deleting a record is a simple process. Simply right-click the record within the zone and click the Delete option. Click Yes to confirm your actions.
Modifying Security for Records
Each record has an associated ACL that can be edited. Doing so enables you to specify which users and groups are permitted to securely update the record and change their permissions. You can modify the security by opening the Properties window for a record and selecting the Security tab (see Figure 3.10).
Figure 3.10 You modify security for a record on its Security tab.
Managing DNS Server Options
Most management tasks performed on a DNS server are done through the DNS management console. When you highlight your DNS server within the DNS management console and click the Action menu, you see a number of options that can be used to manage different aspects of DNS. Some of the options available are summarized as follows:
Set Aging/Scavenging for All ZonesUse this option to configure refresh intervals for resource records. This enables you to refresh resource records on a set schedule. Refreshing periodically keeps bad records, such as invalid URLs, out of the database.
Scavenge Stale Resource RecordsUse this option to manually scavenge stale resource records. Stale resource records can accumulate within a zone over a period of time. For example, if a computer registers its own resource record and is shut down improperly, the record might not be removed from the zone file. Scavenging stale resource records can eliminate any problems, such as outdated information.
Update Server Data FilesUse this option to write all changes to the zone file stored within Active Directory to a zone file on the disk.
Clear CacheUse this option to clear the contents of the name server's cache.
Launch NSLookupUse this option to open the command prompt from which you can use the NSLookup command.