Domain Name System (DNS) is one of the most important technologies that a

windows domain network is built on. A properly configured DNS infrastructure can
allow a user to perform all daily tasks completely independent of the size and nature
of the network, and allow an admin to concentrate on more important matters other
than the numerous help desk calls that will appear as soon as www.hotmail.com
becomes an unknown host.

The subject of DNS is vast, there are so many different configurations, techniques and
possible domain structures that there is no one definitive method that would fit all. In
my opinion, the 2 things to remember when configuring DNS are: redundancy and
hierarchy. It is a good idea to draw your network and plan for where there will be
heavy network use especially if you have many remote sites, a separate DNS server at
each site is preferable but not always cost efficient, to keep things simple an “Active
Directory Integrated” DNS zone on every Domain Controller is the easiest way
implement DNS.

I will cover 3 different DNS configurations:

1 - The efficient and secure “Active Directory Integrated” DNS

2 - The standalone Primary DNS Infrastructure and

3 - The network efficient Caching-Only DNS Infrastructure

i will also give an explanation of other useful DNS Information

The Active Directory Integrated Zone

Open the Windows Components part of Add/Remove Programs

Press Details

Press OK
Right - Click “Forward Lookup Zone” and Select New Zone

Press Next
For a new zone, the first zone must be a Primary zone and in this case it will be Active
Directory Integrated.

here you can decide how far this zone will replicate, if in doubt select the above
option
here you decide the namespace that the server will control.

A secure update comes from a computer that has an account in active directory, this is
the default setting and the one that should be chosen.
All Done, press Finish

The zone is now ready to use.

The Standalone DNS Infrastructure

The standalone Primary zone is created exactly as above, except when selecting the
zone type, uncheck the box called “Store the Zone in Active Directory”. You will also
be asked if you want to create a new dns cache file, you should. Once created right
click on the new zone and select properties:
For a Primary zone the secure option is not available, in this case select secure and
nonsecure because not allowing pc’s to update their own DNS entries creates and
administrative overhead. Replication is also not available for a standalone Zone. Press
Aging:
Aging is not enabled by default, it is a good idea to enable it but increase both refresh
intervals to 28 days . Press OK
The Serial number increments every time a change is made to the zone, including a
new entry added or an removed. the rest of the entries can be left as they are.
Here is a list of DNS servers that operate for the namespace. As other DNS servers are
added their names will be added to this list.
Disabled by default, only use if you have pre-windows 2000 computers and you have
WINS servers.
Enabled by default for a primary standalone zone, select “Only to servers listed on the
name servers tab, this ensures that no rogue DNS servers can be sent zone transfers.
Here you can decide who can administer DNS and who can use it.

Congratulations, your first Primary zone has been configured. Now you need
redundancy:

In a standalone DNS infrastructure only 1 primary DNS zone is allowed, all other
zones must be secondary, so if the primary zone fails no additions can be made to the
DNS database. Create a secondary dns zone at locations where there are a lot of
clients. The DNS database is located in C:\Windows\System32\DNS and will be
named with the DNS namespace, example, dnsdomain.net.dns

A standalone DNS infrastructure is not as secure as an Active Directory Integrated

DNS infrastructure and to be honest, i would use it.

Caching - Only DNS Infrastructure

A caching - only DNS server does not hold a copy of the DNS database, it simply
answers queries and then holds that answer for any future queries. If a caching - only
DNS server is restarted or the DNS service itself is stopped the cache of answered
queries is lost. However a caching - only DNS server performs no zone transfers and
hence saves network bandwidth, this can be useful if a remote site is connected by a
slow link. A caching - only server cannot be used to create or modify DNS entries.
By creating an Active Directory Integrated zone on 2 or more Domain Controllers and
then having caching - only servers at all other locations you can minimize network
traffic. However be sure to to point clients to query the local caching - only DNS
server first by configuring the appropriate DNS server options in the DHCP scope and
add the main DNS server as a second DNS server in case their is a fault with the first
one.

A caching - only DNS server is created by installing the DNS service and then making
no further changes. Be sure to add the main DNS server in the Network Connection
TCP/IP options if it does not use DHCP, or change the root hints,
C:\Windows\System32\DNS\cache.dns, file to include on the main DNS server, no
other entries should be added to the root hints file. In other words the caching - only
server should only forward a query to the main DNS server if it cant answer the query
itself.

Example

Other Useful DNS Information

DNS Recursion

Recursion refers to the process of s DNS server querying other DNS servers on behalf
of an original querying client. This process in effect turns the DNS server into a DNS
client. If recursion is disabled on the DNS server then the client uses iteration to
resolve the query. Iteration refers to the process of a DNS client making repeated
queries to different DNS servers.

Stub Servers

A Stub Server is a DNS server that holds a stub zone. A stub zone is a copy of the
primary zone that contains Start Of Authority (SOA) and Name Server (NS) resource
records, plus the Host (A) resource records that identify the authoritative servers for
the zone. A stub zone is most commonly used to let a DNS server in one domain
know which DNS servers control the DNS zone in another neighbouring domain.

Host (A) Resource Records

A host record maps an IP address to a known DNS name. Computers running

windows 2000, windows XP, or windows 2003 use the DHCP Client service to
dynamically register and update their own resource records. DHCP clients can have
their resource records updated by the DHCP server. (Only the DHCP service on
windows 2003 supports this feature).

The resource record is stored in the zone file using the following text:

server1 A 192.168.0.4

Alias (CNAME) Resource Records

Alias (CNAME) resource records are also sometimes called canonical names.
CNAMEs are used when a number of DNS names point to the same IP Address.

A CNAM E entry has the following syntax:

ftp CNAME ftp1.micrpsoft.com

MX Resource Records

The mail exchanger (MX) resource record is used by email applications to locate a
mail server within a zone. It allows a domain name such as microsoft.com, specified
in an email address such as alan@microsoft.com, to be mapped to the A resource
record of a computer hosting the mail server for the domain. This type of record
allows a DNS server to handle email addresses in which no particular mail server is
specified.

Often multiple MX records are created to provide fault tolerance and failover to
another mail server when the preferred listed server is not available. Multiple servers
are given a server preference value, with the lower values representing higher
preference. The MX record is shown below:

@ MX 1 mailserver1.hirogen.net
@ MX 10 mailserver2.hirogen.net
@ MX 20 mailserver3.hirogen.net

The @ symbol represents the local domain name contained in the email address.

PTR Resource Records

The Pointer Resource Record is used only in reverse lookup zones. Reverse lookups
are performed in zones rooted in the in-addr.arpa domain. PTR records are added to
zones by the same methods with which A records are created.
1 PTR server1.microsoft.com

The 1 represents the name assigned to the host within the 172.16.48,in-addr.arpa
domain. This domain, which is also the name of the hosting zone corresponds to the
172.16.48.0 subnet.

SRV Resource Records

Service Location (SRV) resource records are used to specify the location of specific
services in a domain. Client applications that are SRV-aware can use DNS to retrieve
the SRV resource records for a given application server. Windows 2003 Active
Directory is an example of an SRV-aware application. The Netlogon service uses SRV
records to locate domain controllers in a domain by searching the domain for the
Lightweight Directory Access Protocol (LDAP) service. All of the SRV records for an
AD DC can be found in a file named Netlogon.dns, located in
Windows\System32\Config folder. If SRV records are missing in your DNS zone, you
an reload then automatically by running the Netdiag /fix command.

If a computer needs to locate a domain controller in the .Microsoft.com domain, the

DNS client can send a SRV query for the name:

_ldap._tcp.microsoft.com.

The DNS server responds to the client with all records matching the query.

The SRV record has the flowing syntax:

_ldap._tcp SRV 0 0 389 dc1.hirogen.net

SRV 10 0 389 dc2.hirogen.net

In this example, an LDAP server (domain controller) with a priority of 0 (highest) is

mapped to the port 389 at the host dc1.hirogen.net. A second domain controller with a
lower priority of 10 is mapped to port 389 at the host dc2.hirogen.net. Both entries
have a value of 0 in the weight field, which means no load balancing has been
configured among the servers.

DNS Forwarders

If your network is connected to the internet with a slow WAN link it would be a good
idea to have only one DNS forwarder that forwards queries out to the internet,
Iteration is not usually allowed through firewalls =, as that would mean leaving open
ports.