N
ame services are essential for communications for Transmission Control Protocol/
Internet Protocol (TCP/IP) networking. Windows Server 2008 uses the Domain
Name System (DNS) as its primary method of name resolution. DNS enables computers
to register and resolve DNS domain names. DNS defi nes the rules under which com-
puters are named and how names are resolved to IP addresses. Windows Server 2008
also supports Windows Internet Naming Service (WINS), which is covered in detail in
Chapter 25, “Implementing and Maintaining WINS.” WINS provides a similar service
for NetBIOS names as DNS provides for DNS domain names. WINS maps NetBIOS
names to IP addresses for hosts running NetBIOS over TCP/IP.
Installing the DNS Server Service
The way you install the DNS Server service depends on whether you plan to use DNS
with the Active Directory or without Active Directory. After you make that decision, you
can install DNS as necessary.
Using DNS with Active Directory
On a domain with Active Directory, DNS is required to install the fi rst domain control-
ler in a domain. Active Directory doesn’t necessarily require Windows DNS, however.
Active Directory is designed to work with any DNS server that supports dynamic
updates and Service Location (SRV) records. This means Active Directory can work
with any DNS server running Berkeley Internet Name Domain (BIND) version 8.1.2 or
later. If you have DNS servers that use BIND version 8.1.2 or later, you can use those
servers. If you don’t already have BIND servers, you probably won’t want to set these up
because there are many benefi ts to using the Microsoft DNS Server service.
When you install the DNS Server service as part of the Active Directory installation
process, you can use Active Directory–integrated zones and take advantage of the many
replication and security benefi ts of Active Directory. Here, any server confi gured as a
domain controller with DNS and using Active Directory–integrated zones is an Active
Directory primary name server.
Installing the DNS Server Service . . . . . . . . . . . . . . . . . . 767
Configuring DNS Using the Wizard . . . . . . . . . . . . . . . . 773
Configuring DNS Zones, Subdomains, Forwarders,

Domain Services Installation Wizard will install and then confi gure DNS. As
the next screen shows, this means a forward lookup zone will be created for the
domain. The forward lookup zone will have the Start of Authority (SOA), Name
Server (NS), and host Address (A) records for the server you are working with.
This designates it as the authoritative name server for the domain. If desired, you
can also create reverse lookup zones to allow for IP address to host name lookups.
DNS servers support IPv4 and IPv6 for reverse lookups.
4. For the fi rst DNS server in a forest, the Active Directory Domain Services
Installation Wizard creates the forest-side locator records and stores them in the
_msdcs subdomain. Windows Server 2008 creates this as a separate zone, which
is referred to as the forest root zone.
Installing the DNS Server Service 769
Chapter 24
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

The forest root zone is an important part of Active Directory. It is in this zone that
Active Directory creates SRV resource records used when clients are looking for a par-
ticular resource such as global catalog servers, Lightweight Directory Access Protocol
(LDAP) servers, and Kerberos servers. The _msdcs subdomain is created as its own zone
to improve performance with remote sites. With Windows 2000, remote sites have to
replicate the entire DNS database to access forest root records, which means increased
replication and bandwidth usage. As a separate zone, only the zone will be replicated
to the DNS servers in remote sites as long as Active Directory application partitions are
used. In Windows Server 2008, you can enable application partitions for use with DNS as
discussed in “Confi guring Default Application Directory Partitions and Replication Scope”
on page 804.
On subsequent domain controllers, you must specifi cally install the DNS Server ser-
vice. You do this using the Add Roles Wizard as detailed in “DNS Setup” on the next
page.
In an Active Directory domain, secondary and stub zones can also be useful, as dis-

DNS
Active Directory
DNS
cpandl.com
Zone
transfer
Zone
transfer
Figure 24-1 Using secondary zones with Active Directory.
SIDE OUT
Forest root zones
The forest root zone is an important part of Active Directory. It is in this zone that
Active Directory creates SRV resource records used when clients are looking for a par-
ticular resource such as global catalog servers, Lightweight Directory Access Protocol
(LDAP) servers, and Kerberos servers. The _msdcs subdomain is created as its own zone
to improve performance with remote sites. With Windows 2000, remote sites have to
replicate the entire DNS database to access forest root records, which means increased
replication and bandwidth usage. As a separate zone, only the zone will be replicated
to the DNS servers in remote sites as long as Active Directory application partitions are
used. In Windows Server 2008, you can enable application partitions for use with DNS as
discussed in “Confi guring Default Application Directory Partitions and Replication Scope”
on page 804.
Chapter 24
770 Chapter 24 Implementing and Managing DNS
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
The implementation steps for this example are as follows:
1. Set up a secondary or stub zone for thephone-company.com on the authoritative
name server for cpandl.com.
2. Set up a secondary or stub zone for cpandl.com on the authoritative name server
for thephone-company.com.

Installing the DNS Server Service 771
Chapter 24
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Figure 24-2 The DNS console.
You don’t have to complete the rest of the confi guration at the server. You can remotely
manage and confi gure DNS. Simply start the DNS console on your computer, right-click
the DNS node in the left pane, and select Connect To DNS Server. In the Connect To
DNS Server dialog box, select The Following Computer, type the name or IP address of
the DNS server, and then click OK. In the DNS console, host addresses are displayed as
IPv4 or IPv6 addresses as appropriate.
The command-line counterpart to the DNS console is Dnscmd. The Dnscmd command-
line tool accepts addresses in IPv4 and IPv6 format. From the command prompt on a
computer running Windows Server 2008, you can use Dnscmd to perform most of the
tasks available in the DNS console as well as to perform many troubleshooting tasks
that are specifi c to Dnscmd. Unlike Netsh, Dnscmd doesn’t offer internal command
prompts. You can specify only the server you want to work with followed by the com-
mand and the command-line options to use for that command. Thus, the syntax is as
follows:
dnscmd ServerName Command CommandOptions
where

ServerName is the name or IP address of the DNS server you want to work with,
such as CORPSVR03 or 192.168.10.15.

Command is the command to use.

CommandOptions are the options for the command.
Note
If you are working on the server you want to confi gure, you don’t have to type the server
name or IP address.

You can confi rm the new setting by typing ipconfi g /all at the command prompt and
checking for the DNS server entry. The server should have the same setting for the IP
address and primary DNS server.
Confi guring DNS Using the Wizard
From the DNS console, you can start the Confi gure A DNS Server Wizard and use it
to help you set up a DNS server. This wizard is useful for helping you confi gure small
networks that work with Internet service providers (ISPs) and large networks that use
forwarding.
Configuring DNS Using the Wizard 773
Chapter 24
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

For small networks, the Confi gure A DNS Server Wizard creates only a forward lookup
zone. For large networks, the Confi gure A DNS Server Wizard creates a forward lookup
zone and a reverse lookup zone. This might get you to thinking whether reverse lookup
zones are needed on your network. Computers use reverse lookups to fi nd out who is
contacting them. Often this is so that they can display a host name to users rather than
an IP address. So, although a reverse lookup zone isn’t created by the Confi gure A DNS
Server Wizard for small networks, you might still want to create one. If so, follow the pro-
cedure discussed in “Creating Reverse Lookup Zones” on page 785.
Confi guring a Small Network Using
the Confi gure A DNS Server Wizard
For a small network, you can use the wizard to set up your forward lookup zone and
query forwarding to your ISP or other DNS servers. You can also choose to confi gure
this zone as a primary or secondary zone. You use the primary zone option if your orga-
nization maintains its own zone. You use the secondary zone if your ISP maintains your
zone. This gives you a read-only copy of the zone that can be used by internal clients.
Because small networks don’t normally need reverse lookup zones, these are not cre-
ated. You can, of course, create these zones later if needed.
To confi gure a small network using the Confi gure A DNS Server Wizard, follow these

discussed in “Confi guring a Large Network Using the Confi gure A DNS Server Wizard” on
page 778. When the wizard gets to the reverse lookup zone confi guration part, you can
skip this if you don’t want to create a reverse lookup zone.
Figure 24-3 Select the first option to configure DNS for a small network.
3. As shown in Figure 24-4, you can now choose whether the DNS server or your ISP
maintains the zone and then click Next. Keep the following in mind:

If the DNS server maintains the zone, the wizard confi gures a primary zone
that you control. This allows you to create and manage the DNS records for
the organization.

If your ISP maintains the zone, the wizard confi gures a secondary zone that
will get its information from your ISP. This means the staff at the ISP will
need to create and manage the DNS records for the organization—and you
will need to pay them to do so.
Note
If Active Directory is installed on the network, this zone will be automatically integrated
with Active Directory. To avoid this, you can choose the second option, Create Forward
And Reverse Lookup Zones (Recommended For Large Networks), and then proceed as
discussed in “Confi guring a Large Network Using the Confi gure A DNS Server Wizard” on
page 778. When the wizard gets to the reverse lookup zone confi guration part, you can
skip this if you don’t want to create a reverse lookup zone.
Configuring DNS Using the Wizard 775
Chapter 24
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Figure 24-4 Specify whether the zone will be maintained on the server or by your ISP.
4. On the Zone Name page, type the full DNS name for the zone. The zone name
should help determine how the zone fi ts into the DNS domain hierarchy. For
example, if you’re creating the primary server for the cpandl.com domain, you
should type cpandl.com as the zone name. Click Next.

address for a second forwarder as well. If you don’t want to use forwarders, select
No, It Should Not Forward Queries.
Configuring DNS Using the Wizard 777
Chapter 24
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Note
Selecting the No, It Should Not Forward Queries option won’t prevent internal name
servers from forwarding queries altogether. A root hints fi le will still be created, which
lists the root name servers on the public Internet. Thus, if you don’t designate forward-
ers, such as the primary and secondary name servers of your ISP, the internal name
servers will still forward queries. To prevent this, you must modify the root hints fi le as
discussed in “Security Considerations” on page 757.
8. When you click Next, the wizard will search for and retrieve the current root
hints. Click Finish to complete the confi guration and exit the wizard. If there is
a problem confi guring the root hints, you will need to confi gure the root hints
manually or copy them from another server.
Confi guring a Large Network Using
the Confi gure A DNS Server Wizard
For a large network, you can use the wizard to set up your forward and reverse lookup
zones and to set up forwarding with or without recursion. With recursion, queries for
external resources are fi rst forwarded to your designated servers, but if those servers
are unavailable, the DNS server forwards queries to the root name servers. Without
recursion, queries for external resources are only forwarded to your designated servers.
The DNS Server service can send queries to IPv4, IPv4 and IPv6, and IPv6-only servers.
To confi gure a large network using the Confi gure A DNS Server Wizard, follow these
steps:
1. Right-click the server entry in the DNS console, and select Confi gure A Server.
When the wizard starts, click Next.
Note
If the server you want to work with isn’t shown, right-click the DNS node in the left pane,

Secondary Zone—Use this option to create a secondary zone. This means the
server will have a read-only copy of the zone and must use zone transfers to
get updates.

Stub Zone—Use this option to create a stub zone. This creates only the nec-
essary glue records for the zone. Optionally, specify that this zone should
be integrated with Active Directory. This means the zone will be stored in
Active Directory and be updated using Active Directory replication.
Configuring DNS Using the Wizard 779
Chapter 24
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Figure 24-8 Select the zone type.
5. If you created an Active Directory–integrated zone, specify the replication scope,
and then click Next. As Figure 24-9 shows, you have the following options:

To All DNS Servers In This Forest—Enables replication of the zone informa-
tion to all domains in the Active Directory forest. Each DNS server in the
forest will receive a copy of the zone information and get updates through
replication.

To All DNS Servers In This Domain—Enables replication of the zone informa-
tion in the current domain. Each DNS server in the domain will receive a
copy of the zone information and get updates through replication.

To All Domain Controllers In This Domain—Replicates zone information to
all domain controllers in the Active Directory domain. As with a Windows
2000 domain, all domain controllers will get a copy of the zone information
and get updates through replication regardless of whether they are also run-
ning the DNS Server service.


security possible by restricting which clients can perform dynamic updates.

Allow Both Nonsecure And Secure Dynamic Updates—This option allows any
client to update resource records in DNS. Although it allows both secure
and nonsecure updates, it doesn’t validate updates, which means dynamic
updates are accepted from any client.

Do Not Allow Dynamic Updates—This option disables dynamic updates in
DNS. You should use this option only when the zone isn’t integrated with
Active Directory.
10. To create a reverse lookup zone, accept the default option on the Reverse Lookup
Zone page, and then click Next. Otherwise, click No, and skip to step 16.
Configuring DNS Using the Wizard 781
Chapter 24
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
11. On the Zone Type page, you can select the zone type. The options available are
the same as when creating a forward lookup zone. Click Next after making a
selection.
12. If you created an Active Directory–integrated zone, specify the replication scope,
and then click Next.
13. Specify whether you are creating an IPv4 reverse lookup zone or an IPv6 reverse
lookup zone and then click Next. Do one of the following:

If you are confi guring a reverse lookup zone for IPv4, type the network ID
for the reverse lookup zone as shown in Figure 24-10 and then click Next.
The values you enter set the default name for the reverse lookup zone. If you
have multiple subnets on the same network, such as 192.168.1, 192.168.2,
and 192.168.3, you should enter only the network portion for the zone
name, such as 192.168 rather than the complete network ID. The DNS
Server service will then fi ll in the necessary subnet zones as you use IP

Confi guring DNS Zones, Subdomains, Forwarders, and
Zone Transfers
Windows Server 2008 supports primary, secondary, Active Directory–integrated, and
stub zones, each of which can be created to support either forward lookups or reverse
lookups. Forward lookup queries allow a client to resolve a host name to an IP address.
Reverse lookups allow a client to resolve an IP address to a host name. At times you
might also need to confi gure subdomains, forwarders, and zone transfers. All of these
topics are discussed in this section.
Creating Forward Lookup Zones
To create the initial forward lookup zone or additional forward lookup zones on a
server, follow these steps:
1. In the DNS console, expand the node for the server you want to work with. Right-
click the Forward Lookup Zones entry, and then choose New Zone. Afterward, in
the New Zone Wizard, click Next.
2. Select the zone type. Choose one of the following options, and then click Next:

Primary Zone—Use this option to create a primary zone and designate this
server to be authoritative for the zone. Ensure that the Store The Zone In
Active Directory check box is selected if you want to integrate DNS with
Active Directory. Otherwise, clear this check box so that a standard primary
zone is created.
Note
Selecting the No, It Should Not Forward Queries option won’t prevent internal name
servers from forwarding queries altogether. A root hints fi le will still be created, which
lists the root name servers on the public Internet. Thus, if you don’t designate forward-
ers, such as the primary and secondary name servers of your ISP, the internal name
servers will still forward queries. To prevent this, you must modify the root hints fi le as
discussed in “Security Considerations” on page 757.
Configuring DNS Zones, Subdomains, Forwarders, and Zone Transfers 783
Chapter 24

tion to a designated application partition. Any domain controllers confi g-
ured with the application partition will get a copy of the zone information
and get updates through replication regardless of whether they are also run-
ning the DNS Server service.
4. On the Zone Name page, type the full DNS name for the zone. The zone name
should help determine how the zone fi ts into the DNS domain hierarchy. For
example, if you’re creating the primary server for the cpandl.com domain, you
should type cpandl.com as the zone name. Click Next.
5. If you’re creating a standard primary zone, you see the Zone File page. This page
allows you to create a new zone fi le or use an existing zone fi le. In most cases,
you’ll simply accept the default name and allow the wizard to create the fi le for
you in the %SystemRoot%\System32\Dns folder. If you are migrating from a
BIND DNS server or have a preexisting zone fi le, you can select Use This Existing
File and then type the name of the fi le that you’ve copied to the %SystemRoot%\
System32\Dns folder. Click Next when you are ready to continue.
6. If you’re creating a secondary zone, you see the Master DNS Servers page. Type
the IP address of the primary DNS server that’s maintaining the zone, and then
click Add. Repeat this step to specify additional name servers. Zone transfers will
be confi gured to copy the zone information from these DNS servers.
Chapter 24
784 Chapter 24 Implementing and Managing DNS
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
7. On the Dynamic Update page, choose how you want to confi gure dynamic
updates, and then click Next. You can use one of these options:

Allow Only Secure Dynamic Updates—This option is available only on domain
controllers and when Active Directory is deployed. It provides for the best
security possible by restricting which clients can perform dynamic updates.

Allow Both Nonsecure And Secure Dynamic Updates—This option allows any


If you are confi guring a reverse lookup zone for IPv6, type the network pre-
fi x for the reverse lookup zone and then click Next. The values you enter are
used to automatically generate the related zone names. Depending on the
prefi x you enter, up to eight zones may be created.
5. If you’re creating a standard secondary zone, you see the Zone File page. This
page allows you to create a new zone fi le or use an existing zone fi le.
Configuring DNS Zones, Subdomains, Forwarders, and Zone Transfers 785
Chapter 24
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
6. On the Dynamic Update page, choose how you want to confi gure dynamic
updates, and then click Next.
7. Click Next and then click Finish to complete the confi guration and exit the
wizard.
Confi guring Forwarders and Conditional Forwarding
In a normal confi guration, if a DNS name server can’t resolve a request, it forwards the
request for resolution. A server to which DNS queries are forwarded is referred to as a
forwarder. You can specifi cally designate forwarders that should be used by your inter-
nal DNS servers. For example, if you designate your ISP’s primary and secondary name
servers as forwarders, queries that your internal name servers can’t resolve will be for-
warded to these servers. Forwarding can still take place, however, even if you don’t spe-
cifi cally designate forwarders. The reason for this is that the root hints fi le specifi es the
root name servers for the public Internet and these servers can be used as forwarders.
Any time forwarders are not specifi ed or available, requests can be forwarded to the
root name servers. The root name servers then forward the requests to the appropriate
top-level domain name server, which forwards them to the next-level domain server,
and so on. This process is referred to as recursion, and, as you can see, this involves a
number of forwarding actions. DNS servers can send recursive queries to IPv4, IPv4
and IPv6, and IPv6-only servers.
Another forwarding option is to confi gure what is called a conditional forwarder. When