Windows 2003 active directory dns configuration

To do this:. When the Windows Components Wizard comes up, scroll down and highlight Networking Services and then click the Details button. Note that, during the install, Windows may generate an error claiming that it could not find a file needed for DNS installation. The wizard should automatically find the file and allow you to select it. After that, the wizard should resume the install. After this, DNS should be successfully installed. As our DNS server was just installed it is not populated with anything.

The Forward Lookup Zones node stores zones that are used to map host names to IP addresses, whereas the Reverse Lookup Zones node stores zones that are used to map IP addresses to host names. A cache-only DNS server contains no zones or resource records. Its only function is to cache answers to queries that it processes, that way if the server receives the same query again later, rather than go through the recursion process again to answer the query, the cache-only DNS server would just return the cached response, thereby saving time.

With its limited functionality, a cache-only DNS server is best suited for a small office environment or a small remote branch office. However, in a large enterprise where Active Directory is typically deployed, more features would be needed from a DNS server, such as the ability to store records for computers, servers and Active Directory. The DNS server stores those records in a database, or a zone. DNS has a few different types of zones, and each has a different function. We will first create a primary forward lookup zone titled firewall.

We do not want to name it firewall. On the Zone Type screen, make sure that Primary zone is selected and click Next. We now have a foundation that we can place resource records in for name resolution by internal clients. Contrary to the forward lookup zone, a reverse lookup zone is used by the DNS server to resolve IP addresses to host names. Not as frequently used as forward lookup zones, reverse lookup zones are often used by anti-spam systems in countering spam and by monitoring systems when logging events or issues.

To create a reverse lookup zone:. On the Reverse Lookup Zone Name screen, enter There is now a reverse lookup zone titled This will be used to store PTR records for computers and servers in those subnets. Using the instructions above, go ahead and create two additional reverse lookup zones, one for a There are different types of resource records, and the DNS server will respond with the record that is requested in a query.

As such, we will create all but SRV records because Active Directory will create those automatically:. Right-click firewall. And, for demonstration purposes, it does not matter whether this server actually exists or not. A corresponding PTR record will be created in the appropriate reverse lookup zone. On the Browse window, double-click the server name, then double-click Forward Lookup Zones, then double-click firewall.

This should populate the webserver's fully qualified domain name in the Fully qualified domain name FQDN for target host text field. Click OK afterwards. On the New Resource Record window, click Browse , double-click the server name, then double-click Forward Lookup Zones, then double-click firewall.

This should populate the mailserver's fully qualified domain name in the Fully qualified domain name FQDN of mail server text field. For example, a client named "oldhost" is first configured in system properties to have the following names: Computer name: oldhost DNS domain name of computer: example.

In this example, no connection-specific DNS domain names are configured for the computer. If you rename the computer from "oldhost" to "newhost", the following name changes occur: Computer name: newhost DNS domain name of computer: example.

After the name change is applied in System Properties , Windows prompts you to restart the computer. The client computer uses the currently configured FQDN of the computer, such as " newhost. For standard primary zones, the primary server, or owner, that is returned in the SOA query response is fixed and static. The primary server name always matches the exact DNS name as that name is displayed in the SOA resource record that is stored with the zone. However, if the zone that is being updated is directory-integrated, any DNS server that is loading the zone can respond and dynamically insert its own name as the primary server of the zone in the SOA query response.

The client processes the SOA query response for its name to determine the IP address of the DNS server that is authorized as the primary server for accepting its name. If it is required, the client performs the following steps to contact and dynamically update its primary server:. The client sends a dynamic update request to the primary server that is determined in the SOA query response.

If this update fails, the client next sends an NS-type query for the zone name that is specified in the SOA record. When the client receives a response to this query, the client sends an SOA query to the first DNS server that is listed in the response. After the SOA query is resolved, the client sends a dynamic update to the server that is specified in the returned SOA record.

If this update fails, the client repeats the SOA query process by sending to the next DNS server that is listed in the response. After the primary server that can perform the update is contacted, the client sends the update request, and the server processes it. The contents of the update request include instructions to add A, and possibly PTR, resource records for " newhost. The server also checks to make sure that updates are permitted for the client request.

For standard primary zones, dynamic updates are not secured. Any client attempt to update succeeds. For Active Directory-integrated zones, updates are secured and performed using directory-based security settings.

Dynamic updates are sent or refreshed periodically. By default, computers send an update every twenty-four hours. If the update causes no changes to zone data, the zone remains at its current version, and no changes are written. Updates that cause actual zone changes or increased zone transfers occur only if names or addresses actually change.

Names are not removed from DNS zones if they become inactive or if they are not updated within the update interval of twenty-four hours. DNS does not use a mechanism to release or to tombstone names, although DNS clients do try to delete or to update old name records when a new name or address change is applied. This value determines how long other DNS servers and clients cache a computer's records when they are included in a query response.

Scope clients can use the DNS dynamic update protocol to update their host name-to-address mapping information whenever changes occur to their DHCP-assigned address. This mapping information is stored in zones on the DNS server. This enables the client to notify the DHCP server as to the service level it requires.

In this case, the option is processed and interpreted by Windows Server-based DHCP servers to determine how the server initiates updates on behalf of the client. This is the default configuration for Windows. To configure the DHCP server to register client information according to the client's request, follow these steps:. By default, updates are always performed for newly installed Windows Server-based DHCP servers and any new scopes that you create for them.

The following examples show how this process varies in different cases. For these DHCP clients, updates are typically handled in the following manner:. After you integrate a zone, you can use the access control list ACL editing features that are available in the DNS snap-in to add or to remove users or groups from the ACL for a specific zone or for a resource record. For more information, search for the "To modify security for a resource record" topic or the "To modify security for a directory integrated zone" topic in Windows Server Help.

By default, dynamic update security for Windows Server DNS servers and clients is handled in the following manner:. Windows Server-based DNS clients try to use nonsecure dynamic updates first. If the nonsecure update is refused, clients try to use a secure update. Also, clients use a default update policy that lets them to try to overwrite a previously registered resource record, unless they are specifically blocked by update security.

By default, when you use standard zone storage, the DNS Server service does not enable dynamic updates on its zones. For zones that are either directory-integrated or use standard file-based storage, you can change the zone to enable all dynamic updates. This enables all updates to be accepted by passing the use of secure updates. The secure dynamic updates functionality can be compromised if the following conditions are true:. For more information, see the "Security considerations when you use the DnsUpdateProxy group" section.

The secure dynamic update functionality is supported only for Active Directory-integrated zones. If you configure a different zone type, change the zone type, and then integrate the zone before you secure it for DNS updates. If you use secure dynamic updates in this configuration with Windows Server-based DNS servers, resource records may become stale.

In some circumstances, this scenario may cause problems. For example, if DHCP1 fails and a second backup DHCP server comes online, the backup server cannot update the client name because the server is not the owner of the name.

In another example, assume that the DHCP server performs dynamic updates for legacy clients. If you upgrade those clients to a version supporting dynamic updates, the upgraded client cannot take ownership or update its DNS records. To solve this problem, a built-in security group named DnsUpdateProxy is provided. If all DHCP servers are added to the DnsUpdateProxy group, the records of one server can be updated by another server if the first server fails. Also, all the objects that are created by the members of the DnsUpdateProxy group are not secured.

Therefore, the first user who is not a member of the DnsUpdateProxy group and that modifies the set of records that is associated with a DNS name becomes its owner. When legacy clients are upgraded, they can take ownership of their name records at the DNS server. If every DHCP server that registers resource records for legacy clients is a member of the DnsUpdateProxy group, many problems are eliminated. If you are using multiple DHCP servers for fault tolerance and secure dynamic updates, add each server to the DnsUpdateProxy global security group.

Also, objects that are created by the members of the DnsUpdateProxy group are not secure. Therefore, you cannot use this group effectively in an Active Directory-integrated zone that enables only secure dynamic updates unless you take additional steps to enable records that are created by members of the group to be secured.