The process of deploying a DNS server on a Windows Server 2012 R2 computer is just a matter of installing the DNS Server role by using the Add Roles And Features Wizard in Server Manager. The actual installation requires no additional input; there are no additional pages in the wizard and no role services to select.
Once you install the DNS Server role, the computer is ready to perform caching-only name resolution services for any clients that have access to it. The role also installs the DNS Manager console, which you use to configure the DNS server’s other capabilities. To configure the server to perform other services, consult the following sections.
A zone is an administrative entity you create on a DNS server to represent a discrete portion of the DNS namespace. Administrators typically divide the DNS namespace into zones to store them on different servers and to delegate their administration to different people.
Zones always consist of entire domains and/or subdomains. You can create a zone that contains multiple domains as long as those domains are contiguous in the DNS namespace. For example, you can create a zone containing a parent domain and its child, because they are directly connected, but you cannot create a zone containing two child domains without their common parent, because the two children are not directly connected, as shown in Figure 4-23.
You can divide the DNS namespace into multiple zones and host them on a single DNS server if you want, although there is usually no persuasive reason to do so. The DNS server in Windows Server 2012 R2 can support as many as 200,000 zones on a single server, although it is hard to imagine a scenario that would require that many. In most cases, an administrator creates multiple zones on a server and then delegates most of them to other servers, which then become responsible for hosting them.
Every zone consists of a zone database, which contains the resource records for the domains in that zone. The DNS server in Windows Server 2012 R2 supports three zone types, which specify where the server stores the zone database and what kind of information it contains. These zone types are as follows:
– Primary zone Creates a primary zone that contains the master copy of the zone database, where administrators make all changes to the zone’s resource records. If the zone is not stored in Active Directory , the server creates a primary master zone database file on the local drive. This is a simple text file that is compliant with most non-Windows DNS server implementations.
– Secondary zone Creates a duplicate of a primary zone on another server. The secondary zone contains a backup copy of the primary master zone database file, stored as an identical text file on the server’s local drive. You can only update the resource records in a secondary zone by replicating the primary master zone database file, by using a process called a zone transfer.
– Stub zone Creates a copy of a primary zone that contains the key resource records that identify the authoritative servers for the zone. The stub zone forwards or refers requests. When you create a stub zone, you configure it with the IP address of the server that hosts the zone from which you created the stub. When the server hosting the stub zone receives a query for a name in that zone, it either forwards the request
to the host of the zone or replies with a referral to that host, depending on whether the query is recursive or iterative.
DNS was designed long before Active Directory, so most of the Internet relies on primary and secondary zones using text-based database files. The most common DNS server implementation on the Internet is a UNIX program called BIND that uses these databases.
However, for DNS servers supporting internal domains, especially AD DS domains, using the Windows DNS server to create a primary zone and store it in Active Directory is the recommended procedure. When you store the zone in the AD DS database, you do not have to create secondary zones or perform zone transfers, because AD DS takes the responsibility for replicating the data, and whatever backup solution you use to protect Active Directory also protects the DNS data.
Note:Exam 70-410 covers only the process of creating a primary zone stored in Active Directory. The procedures for creating text-based primary and secondary zones and configuring zone transfers are covered on Exam 70-411, “Administering Windows Server 2012 R2,” in Objective , “Configure DNS zones.”
USING ACTIVE DIRECTORY–INTEGRATED ZONES
When you are running the DNS server service on a computer that is an Active Directory Domain Services domain controller and you store the zone in Active Directory while creating a zone in the New Zone Wizard, the server does not create a zone database file. Instead, the server stores the DNS resource records for the zone in the AD DS database. Storing the DNS database in Active Directory provides a number of advantages, including ease of administration, conservation of network bandwidth, and increased security.
In Active Directory–integrated zones, the zone data is replicated automatically to other domain controllers, along with all other Active Directory data. Active Directory uses a multiple master replication system so that copies of the database are updated on all domain controllers in the domain. You can modify the DNS resource records on any writable domain controller hosting a copy of the zone data, and Active Directory will automatically update all the other domain controllers. You don’t have to create secondary zones or manually configure zone transfers, because Active Directory performs all database replication activities.
By default, Windows Server 2012 R2 replicates the data for a primary zone stored in Active Directory to all the other domain controllers running the DNS server in the same AD DS domain where the zone is stored. You can also modify the scope of zone database replication to keep copies on all domain controllers throughout the enterprise or on all domain controllers in the AD DS domain, regardless of whether they are running the DNS server. You can also create a custom replication scope that copies the zone database to the domain controllers
Active Directory conserves network bandwidth by replicating only the DNS data that has changed since the last replication and by compressing the data before transmitting it over the network. The zone replications also use the full security capabilities of Active Directory, including encryption and Kerberos-based authentication, which are considerably more robust than those of file-based zone transfers. The protection provided by Active Directory is also automatic and invisible to the administrator, unlike the process of encrypting file-based zone transfers using IPsec.
CREATING AN ACTIVE DIRECTORY ZONE
To create a new primary zone and store it in Active Directory, use the following procedure.
1. In Server Manager on a domain controller, click Tools, DNS to open the DNS Manager console.
2. Expand the server node and select the Forward Lookup Zones folder.
3. Right-click the Forward Lookup Zones folder and, from the shortcut menu, select New Zone. The New Zone Wizard starts.
4. Click Next to bypass the Welcome page and open the Zone Type page.
5. Leave the Primary Zone option and the Store The Zone In Active Directory (Available Only If DNS Server Is A Domain Controller) check box selected and click Next. The Active Directory Zone Replication Scope page opens.
6. Click Next. The Zone Name page opens.
7. Specify the name you want to assign to the zone in the Zone Name text box and click Next. The Dynamic Update page opens.
8. Select one of the following options:
– Allow Only Secure Dynamic Updates
– Allow Both Nonsecure And Secure Dynamic Updates
– Do Not Allow Dynamic Updates
9. Click Next. The Completing the New Zone Wizard page opens.
10. Click Finish. The wizard creates the zone.
11. Close the DNS Manager console.
To create a primary zone in Active Directory with Windows PowerShell, you use the Add-DnsServerPrimaryZone cmdlet, as shown in the following example.
Add-DnsServerPrimaryZone –Name “zonename.adatum.com” –ReplicationScope “Domain”
Once you have created a primary zone, you can proceed to create resource records that specify the names of the hosts on the network and their equivalent IP addresses.
Creating resource records
When you run your own DNS server, you create a resource record for each host name that you want to be accessible by the rest of the network.
There are several different types of resource records used by DNS servers, the most important of which are as follows:
-SOA (Start of Authority) Indicates that the server is the best authoritative source for data concerning the zone. Each zone must have an SOA record and only one SOA record can be in a zone.
– NS (Name Server) Identifies a DNS server functioning as an authority for the zone. Each DNS server in the zone (whether primary master or secondary) must be represented by an NS record.
– A (Address) Provides a name-to-address mapping that supplies an IPv4 address for a specific DNS name. This record type performs the primary function of the DNS: converting names to addresses.
– AAAA (Address) Provides a name-to-address mapping that supplies an IPv6 address for a specific DNS name. This record type performs the primary function of the DNS: converting names to addresses.
– PTR (Pointer) Provides an address-to-name mapping that supplies a DNS name for a specific address in the in-addr.arpa domain. This is the functional opposite of an A record, used for reverse lookups only.
– CNAME (Canonical Name) Creates an alias that points to the canonical name (that is, the “real” name) of a host identified by an A record. Administrators use CNAME records to provide alternative names by which systems can be identified.
– MX (Mail Exchanger) Identifies a system that will direct email traffic sent to an address in the domain to the individual recipient, a mail gateway, or another mail server.
To create a new Address resource record, use the following procedure.
1. Log on to Windows Server 2012 R2 using an account with Administrative privileges.
The Server Manager window opens.
2. Click Tools, DNS to open the DNS Manager console.
3. Expand the server node and select the Forward Lookup Zones folder.
4. Right-click the zone in which you want to create the record and, from the shortcut menu, select New Host (A or AAAA). The New Host dialog box appears, as shown in Figure 4-24.
FIGURE 4-24 Configuring the New Host dialog box
5. In the Name text box, type the host name for the new record. The FQDN for the record appears.
6. In the IP Address text box, type the IPv4 or IPv6 address associated with the host name.
7. Select the following check boxes, if necessary:
– Create Associated Pointer (PTR) Record Creates a reverse name lookup record for the host in the in-addr.arpa domain
– Allow Any Authenticated User To Update DNS Records With The Same
Owner Name Enables users to modify their own resource records
8. Click Add Host. The new resource record is created in the zone you selected.
9. Close the DNS Manager console.
To create a PTR record for a new host, you can select the Create Associated Pointer (PTR) Record check box in the New Host dialog box, but that will only be effective if a reverse lookup zone already exists on the server. To create the zone, follow the same procedure described earlier, this time selecting the Reverse Lookup Zones folder.
When you elect to create an IPv4 reverse lookup zone, a Reverse Lookup Zone Name page opens, like the one shown in Figure 4-25, in which you supply the Network ID that the wizard will use to create the zone.
FIGURE 4-25 Configuring the Reverse Lookup Zone Name page in the New Zone Wizard
Once the zone is created, you can either create PTR records along with A or AAAA records or create a new PTR record by using the New Resource Record dialog box.
Configuring DNS server settings
Once you have installed a DNS server and created zones and resource records on it, there are many settings you can alter to modify its behavior. The following sections describe some of these settings.
CONFIGURING ACTIVE DIRECTORY DNS REPLICATION
To modify the replication scope for an Active Directory–integrated zone, open the zone’s Properties sheet in the DNS Manager console and, on the General tab, click Change for Replication: All DNS Servers In The Active Directory Domain to display the Change Zone Replication Scope dialog box, shown in Figure 4-26. The options are the same as those in the New Zone Wizard.
FIGURE 4-26 The Change Zone Replication Scope dialog box
CONFIGURING ROOT HINTS
Most DNS servers must be able to contact the root name servers to initiate name resolution processes. Most server implementations, including Microsoft DNS Server, are preconfigured with the names and addresses of multiple root name servers. These are called Root Hints.
The 13 root name server names are located in a domain called root-servers.net and are named using letters of the alphabet. The servers are scattered around the world on different subnets to provide fault tolerance.
To modify the Root Hints on a Windows Server 2012 R2 DNS server, right-click the server node, open the Properties sheet, and click the Root Hints tab, as shown in Figure 4-27. On this tab, you can add, edit, or remove Root Hints from the list provided.
FIGURE 4-27 The Root Hints tab on a DNS server’s Properties sheet