From the DNS console, you can start the Configure A DNS Server Wizard and use it to help you set up a DNS server. This wizard is useful for helping you configure small networks that work with Internet service providers (ISPs) and large networks that use forwarding.
Inside Out: Are reverse lookups needed?
For small networks, the Configure A DNS Server Wizard creates only a forward lookup zone. For large networks, the Configure A DNS Server Wizard creates a forward lookup zone and a reverse lookup zone. This might get you to thinking whether reverse lookup zones are needed on your network. Computers use reverse lookups to find out who is contacting them. Often this is so that they can display a host name to users rather than an IP address. So, although a reverse lookup zone isn't created by the Configure A DNS Server Wizard for small networks, you might still want to create one. If so, follow the procedure discussed in the section entitled "Creating Reverse Lookup Zones" later in this chapter.
For a small network, you can use the wizard to set up your forward lookup zone and query forwarding to your ISP or other DNS servers. You can also choose to configure this zone as a primary or secondary zone. You use the primary zone option if your organization maintains its own zone. You use the secondary zone if your ISP maintains your zone. This gives you a read-only copy of the zone that can be used by internal clients. Because small network don't normally need reverse lookup zones, these are not created. You can, of course, create these zones later if needed.
To configure a small network using the Configure A DNS Server Wizard, follow these steps:
Click Next to continue in the Configure A DNS Server Wizard. If the wizard isn't already started, right-click the server entry in the DNS console, and select Configure A Server, then when the wizard starts, click Next.
Choose Create A Forward Lookup Zone (Recommended For Small Networks), as shown in Figure 27-3, and then click Next.
Note
If Active Directory is installed on the network, this zone will be automatically integrated with Active Directory. To avoid this, you can choose the second option, Create Forward And Reverse Lookup Zones (Recommended For Large Networks), and then proceed as discussed in the section entitled "Configuring a Large Network Using the Wizard" later in this chapter. When the wizard gets to the reverse lookup zone configuration part, you can skip this if you don't want to create a reverse lookup zone.
As shown in Figure 27-4, you can now choose whether the DNS server or your ISP maintains the zone and then click Next. Keep the following in mind:
If the DNS server maintains the zone, the wizard configures a primary zone that you control. This allows you to create and manage the DNS records for the organization.
If your ISP maintains the zone, the wizard configures a secondary zone that will get its information from your ISP. This means the staff at the ISP will need to create and manage the DNS records for the organization—and you will need to pay them to do so.
In the Zone Name page, type the full DNS name for the zone. The zone name should help determine how the zone fits into the DNS domain hierarchy. For example, if you're creating the primary server for the cpandl.com domain, you should type cpandl.com as the zone name. Click Next.
If your ISP maintains the zone, you see the Master DNS Servers page, as shown in Figure 27-5. Type the IP address of the primary DNS server that's maintaining the zone for you, and then click Add. Repeat this step to specify additional name servers at your ISP. Zone transfers will be configured to copy the zone information from these DNS servers.
If you choose to maintain the zone, you see the Dynamic Update page, as shown in Figure 27-6. Choose how you want to configure dynamic updates, and then click Next. You can use one of these options:
Allow Only Secure Dynamic Updates—This option is available only on domain controllers and when Active Directory is deployed. It provides for the best security possible by restricting which clients can perform dynamic updates.
Allow Both Nonsecure and Secure Dynamic Updates—This option allows any client to update resource records in DNS. Although it allows both secure and non-secure updates, it doesn't validate updates, which means dynamic updates are accepted from any client.
Do Not Allow Dynamic Updates—Choosing this option disables dynamic updates in DNS. You should use this option only when the zone isn't integrated with Active Directory.
The Forwarders page allows you to configure forwarding of DNS queries. If you want internal DNS servers to forward queries that they can't resolve to another server, type the IP address for that server. You can optionally include the IP address for a second forwarder as well. If you don't want to use forwarders, select No, It Should Not Forward Queries.
Note
Selecting the No, It Should Not Forward Queries option won't prevent internal name servers from forwarding queries altogether. A root hints file will still be created, which lists the root name servers on the public Internet. Thus, if you don't designate forwarders, such as the primary and secondary name servers of your ISP, the internal name servers will still forward queries. To prevent this, you must modify the root hints file as discussed in the section entitled "Security Considerations".
When you click Next, the wizard will search for and retrieve the current root hints. Click Finish to complete the configuration and exit the wizard.
For a large network, you can use the wizard to set up your forward and reverse lookup zones and to set up forwarding with or without recursion. With recursion, queries for external resources are first forwarded to your designated servers, but if those servers are unavailable, the DNS server forwards queries to the root name servers. Without recursion, queries for external resources are only forwarded to your designated servers.
To configure a large network using the Configure A DNS Server Wizard, follow these steps:
Click Next to continue in the Configure A DNS Server Wizard. If the wizard isn't already started, right-click the server entry in the DNS console, and select Configure A Server. When the wizard starts, click Next.
Choose Create Forward And Reverse Lookup Zones (Recommended For Large Networks), as shown in Figure 27-7, and then click Next.
To create a forward lookup zone, accept the default option on the Forward Lookup Zone page, and then click Next. Otherwise, click No, and skip to step 10.
As Figure 27-8 shows, you can now select the zone type. Choose one of the following options, and then click Next:
Primary Zone—Use this option to create a primary zone and designate this server to be authoritative for the zone. Ensure that Store The Zone In Active Directory is selected if you want to integrate DNS with Active Directory. Otherwise, clear this option so that a standard primary zone is created.
Secondary Zone—Use this option to create a secondary zone. This means the server will have a read-only copy of the zone and must use zone transfers to get updates.
Stub Zone—Use this option to create a stub zone. This creates only the necessary glue records for the zone. Optionally, specify that this zone should be integrated with Active Directory. This means the zone will be stored in Active Directory and be updated using Active Directory replication.
If you created an Active Directory–integrated zone, specify the replication scope, and then click Next. As Figure 27-9 shows, you have the following options:
To All DNS Servers In The Active Directory Forest—Enables replication of the zone information to all domains in the Active Directory forest. Each DNS server in the forest will receive a copy of the zone information and get updates through replication.
To All DNS Servers In The Active Directory Domain—Enables replication of the zone information in the current domain. Each DNS server in the domain will receive a copy of the zone information and get updates through replication.
To All Domain Controllers In The Active Directory Domain—Replicates zone information to all domain controllers in the Active Directory domain. As with a Windows 2000 domain, all domain controllers will get a copy of the zone information and get updates through replication regardless of whether they are also running the DNS Server service.
To All Domain Controllers Specified In The Scope Of The Following Application Partition—If you've configured application partitions other than the default partitions, you can limit the scope of replication to a designated application partition. Any domain controllers configured with the application partition will get a copy of the zone information and get updates through replication regardless of whether they are also running the DNS Server service.
In the Zone Name page, type the full DNS name for the zone. The zone name should help determine how the zone fits into the DNS domain hierarchy. For example, if you're creating the primary server for the cpandl.com domain, you should type cpandl.com as the zone name. Click Next.
If you're creating a standard primary zone, you see the Zone File page. This page allows you to create a new zone file or use an existing zone file. In most cases, you'll simply accept the default name and allow the wizard to create the file for you in the %SystemRoot%System32Dns folder. If you are migrating from a BIND DNS server or have a preexisting zone file, you can select Use This Existing File, and then type the name of the file that you've copied to the %SystemRoot%System32Dns folder. Click Next when you are ready to continue.
If you're creating a secondary zone, you see the Master DNS Servers page. Type the IP address of the primary DNS server that's maintaining the zone, and then click Add. Repeat this step to specify additional name servers. Zone transfers will be configured to copy the zone information from these DNS servers.
On the Dynamic Update page, choose how you want to configure dynamic updates and then click Next. You can use one of the following options:
Allow Only Secure Dynamic Updates—This option is available only on domain controllers and when Active Directory is deployed. It provides for the best security possible by restricting which clients can perform dynamic updates.
Allow Both Nonsecure And Secure Dynamic Updates—This option allows any client to update resource records in DNS. Although it allows both secure and non-secure updates, it doesn't validate updates, which means dynamic updates are accepted from any client.
Do Not Allow Dynamic Updates—Choosing this option disables dynamic updates in DNS. You should use this option only when the zone isn't integrated with Active Directory.
To create a reverse lookup zone, accept the default option in the Reverse Lookup Zone page, and then click Next. Otherwise, click No, and skip to step 16.
On the Zone Type page, you can select the zone type. The options available are the same as before. Click Next after making a selection.
If you created an Active Directory–integrated zone, specify the replication scope, and then click Next.
In the Reverse Lookup Zone Name Page, type the network ID for the reverse lookup zone, as shown in Figure 27-10, and then click Next. If you have multiple subnets on the same network, such as 192.168.1, 192.168.2, and 192.168.3, you should enter only the network portion for the zone name, such as 192.168 rather than the complete network ID. The DNS Server service will then fill in the necessary subnet zones as you use IP addresses on a particular subnet.
If you're creating a standard secondary zone, you see the Zone File page. This page allows you to create a new zone file or use an existing zone file.
On the Dynamic Update page, choose how you want to configure dynamic updates, and then click Next.
The Forwarders page allows you to configure forwarding of DNS queries. If you want internal DNS servers to forward queries that they can't resolve to another server, type the IP address of that server. You can optionally include the IP address for a second forwarder as well. If you don't want to use forwarders, select No, It Should Not Forward Queries.
Note
Selecting the No, It Should Not Forward Queries option won't prevent internal name servers from forwarding queries altogether. A root hints file will still be created, which lists the root name servers on the public Internet. Thus, if you don't designate forwarders, such as the primary and secondary name servers of your ISP, the internal name servers will still forward queries. To prevent this, you must modify the root hints file as discussed in the section entitled "Security Considerations".
When you click Next, the wizard will search for and retrieve the current root hints. Click Finish to complete the configuration and exit the wizard.
