4.5.

Building a Nameserver
In this section, I'll guide you through the process of actually creating a nameserver, and
then in the remainder of the chapter I'll add to the functionality of the nameserver to
prepare it for use with Active Directory.
Nameservers need a constant connection to the Internet and a non-changing IP, either set
statically on the server itself or delivered consistently through a DHP reservation. !he
machine you're "uilding out as a nameserver doesn't need to "e that powerful# a fast
Pentium III machine with $%& '( or so of )A' will "e more than sufficient.
In the following e*amples, I will use the fictitious domain name
hasselltech.net, with the also fictitious machine name colossus and
IP address %+&.%,-...$. /ou can, of course, replace these as
appropriate when following along with your own computer.
!he first step is to install the nameserver software onto your 0indows 1erver &..2
computer. !o do so, follow these steps3
%. 4pen Add5)emove Programs inside the ontrol Panel.
&. lic6 the Add5)emove 0indows omponents "utton on the left side of the
window.
2. 1elect Networ6 1ervices in the list "o*, and then clic6 the Details "utton.
7. hec6 the Domain Name 1ystem 8DN19 chec6"o*, and clic6 4: to return to the
previous screen.
$. lic6 Ne*t to proceed with the DN1 software installation.
,. lic6 ;inish, and then lose, to finish the procedure.
If you have your computer set up to receive an IP address via DHP,
the nameserver installation will complain loudly that DN1 isn't
intended to wor6 on dynamically assigned IP addresses. ;or this
e*ample, clic6 4: three times to ac6nowledge these warnings. As
mentioned previously, ma6e sure nameservers have a consistent,
unchanging IP address.
Ne*t, point your new nameserver to itself for name resolution so that when you run tests,
you're not <uerying your I1P's nameservers. In fact, most nameservers point to
themselves, rather than to other nameservers, for name resolution. I recommend setting
this through the command line using the netshcommand, li6e so3
netsh int ip set dns "Local Area Connection" static 192.168.0.5 primary
/ou can replace Local Area Connectionwith the name, as appearing in your networ6
connection properties, of your networ6 connection. Also, replace 192.168.0.5with the
local nameserver's IP.
4f course, you also can change the nameservers to use for name resolution through the
0indows interface "y following these steps3
%. Inside the ontrol Panel, dou"le-clic6 the Networ6 onnections applet.
&. Inside the Networ6 onnection dialog "o*, right-clic6 the name of your networ6
connection and choose Properties from the conte*t menu.
2. Navigate to the =eneral ta", and then select Internet Protocol 8!P5IP9.
7. lic6 the Properties "utton.
$. lic6 the >se the following DN1 server address radio "utton, and then enter the
nameserver's IP address into the "o*.
,. lic6 4:.
Now that the DN1 server software is installed, you need to start the DN1 service. 1elect
1tart, then clic6 Administrative !ools and select DN1. !he DN1 'anagement 1nap-in
will appear, as shown in ;igure 7-%8although it will not have all of the forest loo6up
?ones shown in the figure9.
Figure 4-1. The DNS Management Snap-in
0e'll manually set up DN1 later in this chapter, so ignore the message to use the
onfigure /our DN1 1erver 0i?ard. At this point, you have a functional nameserver,
which performs @caching-only@ functionsthat is, it doesn't hold any DN1 information
uni<ue to itself, "ut it does 6now how to contact the %2 root servers as held "y IANN,
the master of DN1 on the Internet, and it can resolve Internet addresses "y contacting
them. 0indows 1erver &..2's DN1 software 6nows how to do this "y default, without
any configuration on your part.
4.5.1. Enabling Inremental Trans!ers
0indows 1erver &..2's DN1 component is compliant with ); %++$ and can do
incremental transfers 86nown as IA;)s in DN1 parlance9 with other 0indows &... or
0indows 1erver &..2 servers supporting the feature. It also still can do the old-style full
?one transfers, referred to as AA;)s, with noncompliant nameservers and with non-
0indows &... or non-0indows 1erver &..2 machines. !here is not a way to instruct
0indows 1erver &..2 to always send full ?one files to all servers, regardless of whether
they are compliant. /ou can, however, tell 0indows to send incremental ?one transfers to
all supporting servers, regardless of whether they run 0indows &... or 0indows 1erver
&..2. Here's how3
%. 4pen the DN1 'anagement snap-in.
&. )ight-clic6 your server and select Properties from the conte*t menu.
2. Navigate to the Advanced ta", and un chec6 the "o* la"eled (IND 1econdaries.
7. lic6 4: to finish.
Now the server will use incremental ?one transfers to all supporting servers, not Bust to
those running 0indows &... or 0indows 1erver &..2.
4.5.". #reating a F$r%ard &$$'up ($ne
Now, to further configure your server, let's create a forward loo6up ?one file. Inside the
DN1 snap-in, e*pand the server name in the lefthand pane. !hen do the following3
%. )ight-clic6 ;orward Coo6up Dones and select New Done. !he New Done 0i?ard
appears.
&. hoose Primary Done, and then clic6 Ne*t.
2. Enter the ?one name. In this e*ample, I'll use hasselltech.net. lic6 Ne*t to
continue.
7. Enter a name for the new ?one file, which is stored in A1II format. !he default
name is your domain with .dns appended to the endhasselltech.net.dns, for
e*ample. !he ?one files are stored in F1ystem)ootFGsystem2&Gdns. lic6 Ne*t.
$. 4n the Dynamic >pdate screen, choose to allow "oth insecure and secure
dynamic updates. I'll discuss dynamic DN1 updating in a later section. lic6
Ne*t.
,. lic6 ;inish to complete the ?one creation process.
!he hasselltech.net ?one has now "een created.
4.5.). Entering * +e$rds int$ a ($ne
Inside the DN1 snap-in, right-clic6 the hasselltech.net node in the lefthand pane and
choose New Host 8A9 from the conte*t menu. !he New Host dialog "o* appears, as
shown in ;igure 7-&.
Figure 4-". Entering a ne% * re$rd
Enter the hostname of the machine for which you're entering the record, and then enter
the IP address of the machine. As you enter the hostname, the fully <ualified domain
name 8;HDN9 will adBust to show the full hostname, including the domain, to chec6 your
wor6. /ou also can chec6 the reate associated pointer 8P!)9 record chec6"o*, which
enters a P!) record into the reverse loo6up ?one, if one is currently configured. 8If none
is set up, the process will throw an error.9 lic6 4:.
4.5.4. #$ntr$lling +$und-+$bin Balaning
/ou can ena"le or disa"le round-ro"in DN1 "alancing using the nameserver's Advanced
Properties screen, which you'll find "y right-clic6ing the nameserver name in the DN1
'anagement snap-in's lefthand pane and selecting Properties from the conte*t menu.
;igure 7-2 shows this screen, on the Advanced ta" of the Properties sheet.
Figure 4-). *dvaned pr$perties $! a DNS server
hec6 Ena"le round ro"in in the 1erver options "o* to ena"le round ro"in, and unchec6 it
to disa"le it.
DN1 round-ro"in functionality is ena"led on a per-server level, not
on a per-?one level.
Also, if you want to turn off the su"net mas6 ordering feature, on the Advanced
Properties screen shown in ;igure 7-2unchec6 Ena"le netmas6 ordering in the 1erver
options "o*.
4.5.5. Entering and Editing S,* +e$rds
A default 14A record is created when you create a new ?one in 0indows 1erver &..2. !o
modify an 14A record, dou"le-clic6 it in the DN1 'anagement snap-in. !he screen will
loo6 something li6e ;igure 7-7.
Figure 4-4. S,* re$rd pr$perties !$r a -$ne
Here are descriptions of the various fields on this ta"3
1erial num"er
!he serial num"er indicates whether the 14A record has changed since the last
update on the part of a nonauthoritative nameserver. If you want to change this
num"er, clic6 the Increment "utton# you can't simply edit the field.
Primary server
!his field denotes the primary, authoritative nameserver for this ?one.
)esponsi"le person
!his field indicates the administrator responsi"le for configuring and editing this
?one. !his is the administrator's email address, "ut with a period in place of the
normal at sign 8I9 and a period appended to the end of the string. ;or e*ample, if
your administrator is hostmasterIhasselltech.net, in this field you would enter
hostmaster.hasselltech.net.
)efresh interval
!he refresh interval indicates to secondary nameservers how long they can 6eep
their copies of the ?ones "efore "eing re<uired to re<uest a refresh.
)etry interval
!he retry interval indicates how long the secondary nameserver must wait "efore
attempting to contact the authoritative nameserver again after a failed attempt to
refresh its ?one after the refresh interval has lapsed.
E*pires after
!his value essentially indicates how long a ?one file is valid for use in production
environments. It dictates how long a secondary nameserver will continue
attempting a ?one transfer from its primary nameserver. 0hen this e*piration date
is reached, the ?one on the secondary nameserver e*pires and that server stops
responding to <ueries.
'inimum 8default9 !!C
!his value indicates to other nameservers how long they can use information
they've previously retrieved from this nameserver "efore "eing re<uired to consult
the authoritative server again for updated or refreshed information. !his is, "y
default, ,. minutes. /ou also can set !!C values for individual records that
override this minimum default setting for a ?one.
!!C for this record
!his value overrides the minimum 8default9 !!C as descri"ed earlier and is
limited to only this 14A record.
4.5... #reating and Editing NS +e$rds
N1 records, as you learned earlier in this chapter, lin6 the hostnames of nameservers to
their IP addresses. !o create these records, inside the DN1 'anagement snap-in right-
clic6 the ?one file in <uestion and select Properties. !hen, select the Name 1ervers ta".
/ou'll "e greeted with the screen shown in ;igure 7-$.
!he primary N1 record is displayed, as it was created "y default when you first
constructed the ?one. lic6 the Add "utton to insert a new N1 recordfor e*ample, for a
secondary nameserver. In the "o* that appears, type in the new machine's fully <ualified
domain name and clic6 the )esolve "utton. 0indows 1erver &..2 uses a reverse loo6up
to determine the IP address of the hostname you entered. If you agree with its finding,
clic6 the Add "utton "eside the IP address and the N1 record will "e entered. lic6 4:
twice to close.
4.5./. #reating and Editing #N*ME +e$rds
)ecall that NA'E records map different hostnames to pree*isting A records, allowing
multiple DN1 names for a host. !o create these records, right-clic6 the hasselltech.net
node in the lefthand pane of the DN1 'anagement snap-in and choose New Alias
8NA'E9 from the conte*t menu. !he New )esource )ecord dialog "o* appears, as
shown in ;igure 7-,.
Figure 4-5. Editing NS re$rds !$r a -$ne
Figure 4-.. Entering a ne% #N*ME re$rd
Enter the aliased name of the machine for which you're entering the record 8this is the
canonical name9, and then enter the fully <ualified domain name of the host you're
aliasing. As you enter the NA'E, the fully <ualified domain name field Bust "elow will
adBust to show the full hostname, including the domain, to chec6 your wor6.
lic6 4: to finish.
4.5.0. #reating and Editing M1 +e$rds
As you'll remem"er from earlier in this chapter, 'A records dictate how mail is delivered
to a specific DN1 ?one. !o create these records, inside the DN1 snap-in right-clic6 the
hasselltech.net node in the lefthand pane and choose New 'ail E*changer 8'A9 from the
conte*t menu. !he New )esource )ecord dialog "o* appears, as shown in ;igure 7-J.
Figure 4-/. Entering a ne% M1 re$rd
Enter the name of the domain or ?one for which you're entering the record, and then enter
the fully <ualified domain name of the host to which mail for that domain or ?one should
"e delivered. As you enter the NA'E, the fully <ualified domain name field Bust "elow
will adBust to show the full hostname, including the domain, to chec6 your wor6. ;inally,
in the 'ail server priority "o*, type the 'A preference num"er that should apply to this
record.
lic6 4: to close.
4.5.2. 3enerating a +everse &$$'up ($ne
/ou learned earlier in this chapter that reverse loo6up ?ones map IP addresses to their
corresponding hostnames. !o create these records, inside the DN1 'anagement snap-in,
right-clic6 the )everse Coo6up Dones folder and choose New Done from the conte*t
menu. /ou'll "e presented with the New Done 0i?ard. lic6 Ne*t to "ypass the
introductory screen and you'll see ;igure 7--. !hen follow these steps3
%. hoose Primary ?one, and clic6 Ne*t.
&. Enter the networ6 num"ers for your networ6 in the Networ6 ID fieldfor e*ample,
%+&.%,-....and then clic6 Ne*t.
2. !he Dynamic >pdates page appears. 1elect to allow "oth insecure and secure
updates, and then clic6 Ne*t.
7. lic6 ;inish to complete the wi?ard.
Figure 4-0. #reating a ne% reverse l$$'up -$ne
/our reverse loo6up ?one has "een created.
4.5.14. #reating and Editing 5T+ +e$rds
)emem"er that P!) records map IP addresses to their hostnames and are vital within a
reverse loo6up ?one. !o create these records, right-clic6 the appropriate reverse loo6up
?one within the DN1 'anagement snap-in and select New Pointer 8P!)9 from the
conte*t menu. !he New )esource )ecord dialog "o* will appear, as shown in ;igure 7-+.
Figure 4-2. Entering a ne% 5T+ re$rd
4n this screen, all you need to do is enter the last dotted <uad of a specific IP address,
and then enter the hostname to which that address should refer. !he ;HDN for the reverse
loo6up record will fill in automatically.
lic6 4: to finish.
4.5.11. #$n!iguring a Se$ndar6 Nameserver
In this section, I'll cover creating a secondary nameserver to serve a ?one. 1ome
preliminary steps are in order, though3 first, the machine should "e running 0indows
1erver &..2, and it should have the DN1 service installed, as I mentioned "efore. !he
machine's networ6 connection should "e configured so that its preferred nameserver is
itself. 8Also, for the purposes of this section, the secondary nameserver will "e called
ns&.hasselltech.net at IP address %+&.%,-...,.9
!o proceed3
%. 4pen the DN1 'anagement '' snap-in.
&. )ight-clic6 ;orward Coo6up Dones and select New Done from the conte*t menu.
!he New Done 0i?ard will appear# clic6 Ne*t to s6ip the introductory screen.
2. hoose 1econdary to create a secondary loo6up ?one, which will indicate to
0indows that this should "e a secondary nameserver. lic6 Ne*t.
7. Enter the name of an e*isting ?one on the Done Name screen, and clic6 Ne*t.
$. 1pecify the nameservers from which 0indows can fetch the e*isting ?one files.
1imply enter the primary nameserver in the "o*, clic6 Add, and then clic6 Ne*t,
as shown in ;igure 7-%..
,. lic6 ;inish to create the ?one.
Figure 4-14. Spei!6ing a primar6 DNS server !$r a se$ndar6 DNS -$ne
4.5.1". 7pgrading a Se$ndar6 Nameserver t$ 5rimar6
Perhaps you decide, upon ac<uiring a new "usiness into your organi?ation, that you need
more horsepower in responding to DN1 <ueries. 4r perhaps eventually you'd li6e to
cluster your DN1 servers. In these cases, you would want to promote some secondary
nameservers to primary status. It's an easy process to promote an e*isting secondary
nameserver to a primary nameserver.
%. 4pen the DN1 'anagement snap-in.
&. )ight-clic6 the ?one folder that you want to convert, and select Properties from
the conte*t menu.
2. Navigate to the =eneral ta", as shown in ;igure 7-%%.
Figure 4-11. 5r$m$ting a DNS server
7. !o the right of the !ype entryit should now say either Primary or 1econdaryclic6
the hange "utton. !he hange Done !ype screen will appear, as shown in ;igure
7-%&.
Figure 4-1". #hanging a server !r$m primar6 t$ se$ndar6
$. lic6 the Primary ?one radio "utton to perform the promotion.
,. lic6 4:.
!he server will now "e a primary server for that ?one.
4.5.1). Manuall6 Editing ($ne Files
All ?one files are stored in F1ystem)ootFGsystem2&Gdns. !he files are stored in the
format KdomainL.dns 8e.g., hasselltech.net.dns9. /ou can edit them with your favorite
te*t editor or with a script that you can write to perform large-scale and5or automated
machine rollouts.
0hen you directly edit ?one files, ma6e sure you manually
increment the serial num"er value in the ?one's 14A record. /ou can
increment "y any value. 4therwise, the changes are li6ely to "e
missed "y any secondary nameservers during a ?one transfer.
4.5.14. #$ntr$lling the ($ne Trans!er 5r$ess
;or o"vious reasons, you'll find it necessary to control which machines can perform a
?one transfer from nameserversafter all, users at large on the Internet have no legitimate
need to retrieve a full copy of your ?ones, and having a full record of your connected
machines is a huge security "reach. >nfortunately, 'icrosoft didn't loc6 down this
process, so "y default your 0indows 1erver &..2 nameserver will transfer its ?one files
to any machine upon re<uest. !his is loc6ed down, however, in 1ervice Pac6 %.
!o loc6 this down, open the DN1 'anagement snap-in and e*pand the nameserver's
name. ;ind a ?one under ;orward Coo6up Dones, right-clic6 it, and choose Properties.
lic6 over to the Done !ransfers ta". /ou'll see the screen depicted in ;igure 7-%2.
/ou see that you can disallow ?one transfers wholesale "y unchec6ing the "o* la"eled
Allow ?one transfers. However, if you choose to ena"le them to have secondary
nameservers, you can loc6 down the access to those ?one files a "it more granularly. !he
first option, !o any server, leaves the transfer process wide openthis is the default setting
on machines that haven't "een upgraded to 1ervice Pac6 %. !he second option, 4nly to
servers listed on the Name 1ervers ta", seems to "e the most reasona"le option "y
restricting transfer to the servers identified as authoritative for the domain on that ta".
!he third option, 4nly to the following servers, can loc6 down that list even further.
1imply select the option, enter an IP address into the "o*, and clic6 Add when you're
done. 'a6e the list as long or short as it needs to "e, and then finish the process "y
clic6ing 4:.
Figure 4-1). #$ntr$lling -$ne trans!ers
0indows 1erver &..2 also supports a feature listed in ); %++, 6nown as ?one
modification notification, which nearly contradicts what I wrote earlier a"out the ?one
transfer process "eing primarily a pull, rather than a push, process. lic6 the Notify
"utton on the Done !ransfer ta" to e*plore this feature# you'll "e greeted with the screen
in ;igure 7-%7.
!he notification feature will contact the servers listed on this Notify screen when changes
are made to the ?one file on the primary nameserver. /ou can have the server contact the
authoritative nameservers for a ?one or domain as listed on the Name 1ervers ta", or
contact only the servers in the list that you create on this screen. 8!o create this list,
simply enter an IP address and clic6 Add. )epeat as necessary to "uild the list.9 lic6 4:
when you've configured or disa"led this feature as you wish.
Figure 4-14. N$ti!6 dial$g sreen
4.0. *tive Diret$r6-Integrated ($nes
>p to this point, I've treated the 0indows 1erver &..2 DN1 service as a traditional
nameserver, mostly compliant with the relevant );s, which can act in "oth primary and
secondary @modes@ for a ?one. However, 0indows 1erver &..2 offers a third mode
specific to 0indows that, although not listed in an );, offers some distinct advantages
if you've made an infrastructure investment in Active Directory and 0indows.
!he third mode, Active Directory-integrated DN1 , offers two plusses over traditional
?ones. ;or one, the fault tolerance "uilt into Active Directory eliminates the need for
primary and secondary nameservers. Effectively, all nameservers using Active Directory-
integrated ?ones are primary nameservers. !his has a huge advantage for the use of
dynamic DN1 as well3 namely, the wide availa"ility of nameservers that can accept
registrations. )ecall that domain controllers and wor6stations register their locations and
availa"ility to the DN1 ?one using dynamic DN1. In a traditional DN1 setup, only one
type of nameserver can accept these registrationsthe primary server, "ecause it has the
only read5write copy of a ?one. (y creating an Active Directory-integrated ?one, all
0indows 1erver &..2 nameservers that store their ?one data in Active Directory can
accept a dynamic registration, and the change will "e propagated using Active Directory
multi-master replication, something you'll learn a"out in hapter $. All you need to do to
set up this scenario is install 0indows 1erver &..2 on a machine, configure it as a
domain controller, install the DN1 service, and set up the ?one. It's all automatic after
that. ontrast this with the standard primary-secondary nameserver setup, where the
primary server is li6ely to "e very "usy handling re<uests and ?one transfers without
worrying a"out the added load of dynamic DN1 registrations. Active Directory-integrated
?ones relieve this load considera"ly. And to add to the "enefits, Active Directory-
integrated ?ones support compression of replication traffic "etween sites, which also
ma6es it unnecessary to use the old-style @uncompressed@ ?one transfers.
As you read in the previous section, part of the dynamic DN1
functionality provided in 0indows 1erver &..2 is the scavenger
process. )ecall the no-refresh interval function, which was created
to eliminate e*or"itant amounts of traffic "eing passed "etween
domain controllers for each DN1 re-registration.
Active Directory-integrated ?ones also afford a "ig security advantage, in that they
provide the capa"ility to loc6 down dynamic DN1 functionality "y restricting the a"ility
of users and computers to register records into the systemonly computers that are
mem"ers of the Active Directory domain that hosts the DN1 records can add and update
records dynamically to these ?ones. However, to have an Active Directory-integrated
?one, your nameservers must "e domain controllers for an Active Directory domain. If
other nameservers are used that are not domain controllers, they can act as only
traditional secondary nameservers, holding a read-only copy of the ?one and replicating
via the traditional ?one transfer process.
If you're already running a nameserver that is a domain controller with an active ?one in
service, it's easy to convert that to an Active Directory-integrated ?one. 8And for that
matter, it's easy to revert to a primary or secondary ?onethis isn't a "e-all and end-all.9
Here's how to go forward3
%. 4pen the DN1 'anagement snap-in.
&. )ight-clic6 the ?one folder you want to convert, and select Properties from the
conte*t menu.
2. Navigate to the =eneral ta", as shown in ;igure 7-&..
Figure 4-"4. #$nverting a -$ne t$ *tive Diret$r6-integrated m$de
7. !o the right of the !ype entryit should now say either Primary or 1econdaryclic6
the hange "utton. !he hange Done !ype screen will appear, as shown in ;igure
7-&%.
$. hec6 the 1tore the ?one in Active Directory chec6"o*.
,. lic6 4:.
Figure 4-"1. St$ring a -$ne in *tive Diret$r6
/ou'll note that your options e*pand once you've converted to Active Directory-integrated
?ones. =o "ac6 to the ?one's properties, and on the =eneral ta", note a couple of things3
!he Dynamic >pdates field now allows 1ecure 4nly updates.
/ou have options for replicating ?one changes throughout all domain controllers
in Active Directory.
Cet's focus on the latter for a moment.
4.0.1. +epliati$n *m$ng D$main #$ntr$llers
0indows 1erver &..2 introduces a new feature that allows you to tune how Active
Directory replicates DN1 information to other domain controllers. 80hile I'll present AD
in all of its glory in hapter $, I'll go ahead and cover this here.9 lic6 the hange "utton
"eside the )eplication field on the ?one properties, and you'll "e presented with the
hange Done )eplication 1cope screen as shown in ;igure 7-&&.
!he default setting is @!o all domain controllers in the Active Directory domain,@ which
instructs 0indows to "ehave e*actly as it did in 0indows &... 1erver3 replicate DN1
information to all domain controllers in Active Directory, regardless of whether they're
actually running the DN1 service. 4"viously, if you have &. domain controllers in your
domain, "ut only three domain controllers that run DN1, this is a lot of replication traffic
that is Bust wasted. 4n this screen, you can select to replicate the DN1 information only to
domain controllers running DN1 in either the forest or the domain. !his is very helpful,
and for large organi?ations, it should cut down on 0AN traffic.
Figure 4-"". #$ntr$lling DNS repliati$n in *tive Diret$r6
4.2. F$r%arding
;orwarding, in the simplest terms, is the process "y which a nameserver passes on
re<uests it cannot answer locally to another server. /ou can ma6e forwarding wor6 to
your advantage so that you effectively com"ine the resolver caches for many nameservers
into one. (y doing this, you allow clients to resolve previously retrieved sites from that
@mega-cache@ "efore re<uiring a true refresh loo6up of the information from authoritative
nameservers on the pu"lic Internet.
Here's how it wor6s. DN1 "ehavior "y default is to consult the preferred nameserver first
to see if it has the necessary ?one information for which the client is searching. It doesn't
matter to the client if the preferred nameserver has the ?one information "ut isn't
authoritative# having the information is enough for the client, and it ta6es the returned
results and ma6es the connection. (ut if the server doesn't have the ?one recorded in its
files, it must go upstream, to the pu"lic Internet, to as6 other nameservers for the ?one
information that's needed. !his ta6es time "ecause it adds a delay to the initial resolution
while the preferred nameserver is searching the Internet for the answer. However, after
the nameserver loo6s up the information once, it stores it in its cache of resolved names
so that the ne*t user loo6ing for the same resolver information doesn't incur that delay3
the preferred nameserver can simply answer out of its cache and return the data nearly
instantaneously.
;orwarding ta6es this cache and e*pands it to multiple nameservers. onsider an
organi?ation with four or five nameservers. lients li6ely will have different preferred
nameservers, set to one of each of those four or five. 1o, when one client wants
information that's not in his nameserver's cache, his preferred nameserver will search it
out and return it, and all future users of that particular preferred nameserver will get
information for that ?one returned out of its cache. (ut the other users in the organi?ation
won't "e a"le to ta6e advantage of that cached entry "ecause they're li6ely using other
machines as their preferred nameservers.
A forwarder comes in and adds an e*tra step to this process3 if the preferred nameserver
doesn't have ?one information in its cache, it will as6 a separate server, 6nown as the
forwarder, if it has information on the re<uested ?one. !he forwarder is simply another
nameserver that loo6s up ?one information on the Internet and stores it in its own cache
for easy reference. 1o, if all nameservers in an organi?ation are configured to as6 the
same forwarder for cached information if it has some, all of those nameservers are ta6ing
advantage of the forwarder's cache and the near-instantaneous response the forwarder can
give to resolution re<uests. Again, the forwarder acts li6e a regular nameserver in all
respects# it's Bust that other nameservers in an organi?ation are configured so that they can
use the forwarder's cache. If, however, the forwarder machine ta6es too long to respond
to a re<uest, the original preferred nameserver can ta6e over and ma6e a re<uest to the
Internet itself, so you don't lose the a"ility to resolve DN1 re<uestsyou're only ma6ing it
more efficient. /ou also can have more than one forwarder for your organi?ation if you're
worried a"out a single point of failure, "ut you lose a "it of the advantage "ecause you're
again using more than one cache data"ase.
Now, to set up forwarding3
%. 4pen the DN1 'anagement snap-in on the machine you want to set up to forward
re<uests elsewhere.
&. )ight-clic6 the server name and choose Properties from the conte*t menu.
2. Navigate to the ;orwarders ta", and then in the 1elected domain's forwarder IP
address list, enter the IP address to which re<uests should "e forwarded. !his is
shown in ;igure 7-&2.
7. Also as shown in the previous figure, enter $ in the Num"er of seconds "efore
forward <ueries time out field. ;ive seconds is a standard num"er that ensures
efficient name resolution if the forwarders somehow fail at their tas6.
$. lic6 Apply to complete the process.
4.2.1. Slaving
1laving is a logical e*tension to the forwarding process. 1ervers slaved to a specific
nameserver forward re<uests to that server and rely entirely on that server for resolution#
in plain forwarding, on the other hand, the original nameserver can resolve the re<uest
itself after a timeout period "y <uerying the root nameservers. 0ith slaving , the upstream
nameserver "ecomes the pro*y through which all slaved nameservers ma6e their
re<uests.
Figure 4-"). Setting up a !$r%arding DNS s6stem
!his is useful mainly in situations where you need multiple nameservers within your
organi?ation to handle Active Directory- and internal-related tas6s, "ut you want outside
re<uests to stay outside the firewall. /ou can set up one very secure nameserver and place
it outside your firewall and internal networ6, allowing it to service re<uests from the
inside to the outside and from the outside to certain machines within the networ6. !hen,
you can slave the internal machines to the one machine outside the firewall, ma6ing them
depend entirely on the machine in the hostile environment "ut 6eeping that environment
out of your internal networ6 and away from the many nameservers you administer
locally. (ecause most firewalls are stateful inspection machines that only allow pac6ets
inside the firewall that are in response to communications initiated internally, and
"ecause your internal nameservers <uery only the e*ternal nameserver and not the
Internet itself, the pu"lic has no reason to 6now that your internal nameservers e*ist, and
no a"ility to get to them, either.
1etting up slaving, as opposed to forwarding, involves only one e*tra chec6"o*. !o
ena"le slaving, follow these steps3
%. 4pen the DN1 'anagement snap-in on the machine you want to set up to slave to
another server.
&. )ight-clic6 the server name and choose Properties from the conte*t menu.
2. 1et up forwarding first. Navigate to the ;orwarders ta", and then in the 1elected
domain's forwarder IP address list, enter the IP address to which re<uests should
"e forwarded. !his is shown in ;igure 7-&7.
7. Also as shown in the previous figure, enter $ in the @Num"er of seconds "efore
forward <ueries time out@ field. ;ive seconds is a standard num"er that ensures
efficient name resolution if the forwarders somehow fail at their tas6.
$. Now, chec6 the Do not use recursion for this domain "o* at the "ottom of the
screen. !his slaves the server to the forwarders listed in the "o* a"ove.
,. lic6 Apply, and then 4:, to complete the process.
Figure 4-"4. Setting up a slaved DNS s6stem
4.2.". #$nditi$nal F$r%arding
!here might "e occasions, especially when using the split DN1 architecture techni<ue
that I'll cover in the ne*t section, where you want to assign certain nameservers to answer
<ueries for specific domains that your users as6 for. onditional forwarding can "e useful
for many reasons, including increasing in the speed of name resolution for clients, to
effect a structural DN1 change in a case of company ac<uisitions or divestitures.
onditional forwarding is supported only in 0indows 1erver &..2.
!he ;orwarders ta" inside the DN1 'anagement snap-in holds multiple lists of domains
and their associated forwarders specifically to accommodate the conditional forwarding
feature. !o set up conditional forwarding, follow these steps3
%. 4pen the DN1 'anagement snap-in on the machine you want to set up for
conditional forwarding.
&. )ight-clic6 the server name and choose Properties from the conte*t menu.
2. Navigate to the ;orwarders ta", and then clic6 the New "utton to the right of the
DN1 domain "o*.
7. In the New ;orwarder "o*, enter the name of the DN1 domain to configure
forwarding for, and then press 4:.
$. lic6 the new domain within the DN1 domain list, and then in the 1elected
domain's forwarder IP address list, enter the IP address to which re<uests should
"e forwarded. !his is shown in ;igure 7-&$.
,. In the Num"er of seconds "efore forward <ueries time out field, enter $.
J. Ceave the Do not use recursion for this domain "o* at the "ottom of the screen
unchec6ed "ecause you don't want to slave your nameserver permanently to a
forwarder for only certain domains.
-. lic6 Apply, and then 4:, to complete the process.
.11. Ba'up and +e$ver6
If you thought configuring DN1 in the first place was difficult, you'll find the "ac6up and
recovery procedures refreshingly simple. !here are two locations in the )egistry to "ac6
up the DN1 service and one directory on the physical filesystem.
!o "ac6 up a server that's hosting one or more primary or secondary DN1 ?ones, follow
these steps3
%. 4n the nameserver, stop the DN1 service using the 1ervices applet in the ontrol
Panel or through the command line.
&. 4pen the )egistry Editor 8select 1tart5)un, type regedit, and press Enter9.
2. Navigate to the 6ey3
H:E/MC4ACM'AHINEG1ystemGurrentontrol1etG1ervicesGDN1
7. )ight-clic6 the DN1 folder, and from the conte*t menu, choose E*port.
$. 0hen prompted for a filename, enter DNS-CCSand choose an appropriate location
that is off the server.
,. Now, navigate to the
H:E/MC4ACM'AHINEG14;!0A)EG'icrosoftG0indows
N!GurrentNersionGDN1 server 6ey.
J. )ight-clic6 the DN1 1erver folder, and from the conte*t menu, choose E*port.
-. Name this file DNS-CVand again choose a location that is not on the current server.
!hese two files will "e DNS-CCS.REGand DNS-CV.REG.
+. Now, using 0indows E*plorer, navigate to the F1ystem)ootFG1ystem2&Gdns
directory on the "oot drive.
%.. ;ind all files with the .DN1 e*tension, select them, and then copy them to the
same location that you e*ported DNS-CCS.REGand DNS-CV.REG.
/our DN1 service is now completely "ac6ed up. )estart the DN1 service to continue
using it.
!o restore a set of DN1 configuration files, install a 0indows 1erver &..2 machine and
use the same computer name, DN1 suffi*, and IP address. (e sure to install the DN1
service. !hen, copy all of the .DN1 files from your "ac6up to the F1ystem)oot
FG1ystem2&Gdns directory and stop the DN1 service. Dou"le-clic6 DNS-CCS.REGand
confirm that you want its contents imported into the registry# do the same for DNS-
CV.REG. ;inally, restart the DN1 service, and your replacement server should function
normally.
earlier in this chapter, and then instruct it to use a pree*isting ?one
file.