Managing DNS Records
from Chapter 19, Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek.
After you create the necessary zone files, you can add records to the zones. Computers that need to be accessed from Active Directory and DNS domains must have DNS records. Although there are many different types of DNS records, most of these record types aren't commonly used. So rather than focus on record types you probably won't use, let's focus on the ones you will use:
A (address) Maps a host name to an IP address. When a computer has multiple adapter cards or IP addresses, or both, it should have multiple address records.
CNAME (canonical name) Sets an alias for a host name. For example, using this record, zeta.microsoft.com can have an alias as www.microsoft.com.
MX (mail exchange) Specifies a mail exchange server for the domain, which allows mail to be delivered to the correct mail servers in the domain.
NS (name server) Specifies a name server for the domain, which allows DNS lookups within various zones. Each primary and secondary name server should be declared through this record.
PTR (pointer) Creates a pointer that maps an IP address to a host name for reverse lookups.
SOA (start of authority) Declares the host that's the most authoritative for the zone and, as such, is the best source of DNS information for the zone. Each zone file must have an SOA record (which is created automatically when you add a zone).
Adding Address and Pointer Records
The A record maps a host name to an IP address and the PTR record creates a pointer to the host for reverse lookups. You can create address and pointer records at the same time or separately.
You create a new host entry with A and PTR records by doing the following:
In the DNS console, expand the Forward Lookup Zones folder for the server you want to work with.
Right-click the domain you want to update, and then from the pop-up menu, choose New Host. This opens the dialog box shown in Figure 19-7.
Figure 19-7: Create A records and PTR records simultaneously with the New Host option.
Type the single-part computer name and IP address.
Select the Create Associated Pointer (PTR) Record check box.
Click OK.
Note: You can only create PTR records if the corresponding reverse lookup zone is available. You can create this file by following the steps listed in the section of this chapter entitled "Configuring Reverse Lookups."
Click Add Host. Repeat as necessary to add other hosts.
Click Done when you're finished.
Adding a PTR Record Later
If you need to add a PTR record later, you can do so by completing the following steps:
In the DNS console, expand the Reverse Lookup Zones folder for the server you want to work with.
Right-click the subnet you want to update, and then from the pop-up menu, choose New Pointer. This opens the dialog box shown in Figure 19-8.
Figure 19-8: You can add PTR records later, if necessary, with the New Resource Record dialog box.
Type the host IP number, and then type the fully qualified domain name of the computer, such as 10.10.1.14 and beanie.microsoft.com. Click OK.
Adding DNS Aliases with CNAME
You specify host aliases using CNAME records. Aliases allow a single host computer to appear to be multiple host computers. For example, the host gamma.microsoft.com can be made to appear as www.microsoft.com and ftp.microsoft.com.
To create a CNAME record, follow these steps:
In the DNS console, expand the Forward Lookup Zones folder for the server you want to work with.
Right-click the domain you want to update and then from the pop-up menu, choose New Alias. This opens the dialog box shown in Figure 19-9.
Type the alias in the Alias Name field. The alias is a single-part host name, such as www or ftp.
In the Fully Qualified Name For Target Host Field, type the full host name of the computer for which the alias is to be used.
Click OK.
Figure 19-9: When you create the CNAME record, be sure to use the single-part host name and then the fully qualified host name.
Adding Mail Exchange Servers
MX records identify mail exchange servers for the domain. These servers are responsible for processing or forwarding mail within the domain. When you create an MX record, you must specify a preference number for the mail server. A preference number is a value from 0 to 65,535 that denotes the mail server's priority within the domain. The mail server with the lowest preference number has the highest priority and is the first to receive mail. If mail delivery fails, the mail server with the next lowest preference number is tried.
You create a MX record by doing the following:
In the DNS console, expand the Forward Lookup Zones folder for the server you want to work with.
Right-click the domain you want to update, and then from the pop-up menu, choose New Mail Exchanger. This opens the dialog box shown in Figure 19-10.
You can now create a record for the mail server by filling in these fields:
Host Or Domain Enter the optional host name.
Mail Server Enter the fully qualified host name.
Mail Server Priority Enter a preference number for the host from 0 to 65,535.
Figure 19-10: Mail servers with the lowest preference number have the highest priority.
Tip Assign preference numbers that leave room for growth. For example, use 10 for your highest priority mail server, 20 for the next, and 30 for the one after that.
Click OK.
Adding Name Servers
Name Server records specify the name servers for the domain. Each primary and secondary name server should be declared through this record. If you obtain secondary name services from an Internet service provider, be sure to insert the appropriate Name Server records.
You create a Name Server record by doing the following:
In the DNS console, expand the Forward Lookup Zones folder for the server you want to work with.
Display the DNS records for the domain by selecting the domain folder in the tree view.
Right-click an existing Name Server record in the view pane, and then select Properties. This opens the Properties dialog box for the domain with the Name Servers tab selected, as shown in Figure 19-11.
Click Add.
In the Server Name field, type the fully qualified host name of the DNS server you're adding.
Figure 19-11: Configure name servers for the domain through the domain's Properties dialog box.
In the IP Address field, type the primary IP address for the server. Click Add. Repeat this process to specify additional IP addresses for the server. The order of the entries determines which IP address is used first. Change the order as necessary using the Up and Down buttons.
Click OK. Repeat steps 5–7 to specify other DNS servers for the domain.
Viewing and Updating DNS Records
To view or update DNS records, follow these steps:
Double-click the zone you want to work with. Records for the zone should be displayed in the right pane.
Double-click the DNS record you want to view or update. This opens the record's Properties dialog box. Make the necessary changes and click OK.
Updating Zone Properties and the SOA Record
Each zone has separate properties that you can configure. These properties set general zone parameters by using the start of authority (SOA) record, change notification, and WINS integration. In the DNS console, you set zone properties by doing the following:
Right-click the zone you want to update, and then from the pop-up menu, choose Properties.
Select the zone, and then from the Action menu, choose Properties.
Properties dialog boxes for forward and reverse lookup zones are identical except for the WINS and WINS-R tabs. In forward lookup zones, you use the WINS tab to configure lookups for NetBIOS computer names. In reverse lookup zones, you use the WINS-R tab to configure reverse lookups for NetBIOS computer names.
Modifying the Start Of Authority Record
A start of authority (SOA) record designates the authoritative name server for a zone and sets general zone properties, such as retry and refresh intervals. You can modify this information by doing the following:
In the DNS console, right-click the zone you want to update and then from the pop-up menu, choose Properties.
Click the Start Of Authority (SOA) tab, and then update the fields shown in Figure 19-12.
You use the fields of the Start Of Authority (SOA) tab as follows:
Serial Number A serial number that indicates the version of the DNS database files. The number is updated automatically whenever you make changes to zone files. You can also update the number manually. Secondary servers use this number to determine if the zone's DNS records have changed. If the primary server's serial number is larger than the secondary server's serial number, the records have changed and the secondary server can request the DNS records have changed and the secondary server can request the DNS records for the zone. You can also configure DNS to notify secondary servers of changes (which may speed up the update process).
Figure 19-12: Use the zone's Properties dialog box to set general properties for the zone and to update the SOA record.
Primary Server The fully qualified domain name for the name server, followed by a period. The period is used to terminate the name and ensure that the domain information isn't appended to the entry.
Responsible Person The e-mail address of the person in charge of the domain. The default entry is administrator followed by a period, meaning administrator@your_domain. If you change this entry, substitute a period in place of the at (@) symbol in the e-mail address and terminate the address with a period.
Refresh Interval The interval at which a secondary server checks for zone updates. If it's set to 60 minutes, NS record changes may not get propagated to a secondary server for up to an hour. You reduce network traffic by increasing this value.
Retry Interval The time the secondary server waits after a failure to download the zone database. If it's set to 10 minutes and a zone database transfer fails, the secondary server will wait 10 minutes before requesting the zone database once more.
Expires After The period of time for which zone information is valid on the secondary server. If the secondary server can't download data from a primary server within this period, the secondary server lets the data in its cache expire and stops responding to DNS queries. Setting Expires After to seven days allows the data on a secondary server to be valid for seven days.
Minimum (Default) TTL The minimum time-to-live value for cached records on a secondary server. The value is set in the format Days : Hours : Minutes : Seconds. When this value is reached, the secondary server expires the associated record and discards it. The next request for the record will need to be sent to the primary server for resolution. Set the minimum TTL to a relatively high value, such as 24 hours, to reduce traffic on the network and increase efficiency. However, keep in mind that a higher value slows down the propagation of updates through the Internet.
TTL For This Record The time-to-live value for this SOA record itself. The value is set in the format Days : Hours : Minutes : Seconds and generally should be the same as the minimum TTL for all records.
Notifying Secondaries of Changes
You set properties for a zone with its start of authority record. These properties control how DNS information is propagated on the network. You can also specify that the primary server should notify secondary name servers when changes are made to the zone database. To do this, follow these steps:
In the DNS console, right-click the domain or subnet you want to update and then from the pop-up menu, choose Properties.
On the Zone Transfers tab, click Notify. This displays the dialog box shown in Figure 19-13.
Figure 19-13: You can notify all secondaries listed on the Name Servers tab or specific servers that you designate.
By default, all secondary servers listed on the Name Servers tab are notified of changes. If you want to designate specific servers to notify, select The Following Servers, and then type the IP addresses of secondary servers to notify. Click OK.
Restricting Zone Transfers
Restricting access to zone information is a security precaution you may want to consider using on your network. When you restrict access to zone information, only servers that you've identified can request updates from the zone's primary server. This allows you to funnel requests through a select group of secondary servers, such as your Internet service provider's secondary name servers, and to hide the details of your internal network from the outside world.
To restrict access to the primary zone database, follow these steps:
In the DNS console, right-click the domain or subnet you want to update and then from the pop-up menu, choose Properties.
Click the Zone Transfers tab. Zone transfers send a copy of zone information to other DNS servers. These servers can be in the same domain or in other domains. By default, zone information is transferred to any server that requests it.
To restrict transfers to name servers listed on the Name Servers tab, select Allow Zone Transfers and then click Only To Servers Listed On The Name Servers Tab.
To restrict transfers to designated servers, select Allow Zone Transfers and then click Only To The Following Servers. Afterward, type the IP addresses for the servers that should receive zone transfers. Click OK.
Setting the Zone Type
When you create zones, they are designated as Active Directory-integrated, standard primary, or standard secondary. You can change the type at any time by completing the following steps:
In the DNS console, right-click the domain or subnet you want to update and then from the pop-up menu, choose Properties.
On the General tab, click Change. In the Change Zone Type dialog box, select the new type for the zone.
Enabling and Disabling Dynamic Updates
Dynamic updates allow DNS clients to register and maintain their own address and pointer records. This is useful for computers dynamically configured through DHCP. By enabling dynamic updates, you make it easier for dynamically configured computers to locate each other on the network. When a zone is integrated with Active Directory, you have the option of requiring secure updates. With secure updates, you use access control lists to control which computers and users can dynamically update DNS.
You can enable and disable dynamic updates by completing the following steps:
In the DNS console, right-click the domain or subnet you want to update and then from the pop-up menu, choose Properties.
Use the following options of the Allow Dynamic Updates selection list to enable or disable dynamic updates:
No Disable dynamic updates.
Yes Enable dynamic updates.
Only Secure Updates Enable dynamic updates with Active Directory security. This is available only with Active Directory integration.
Click OK.
Note: DNS integration settings must also be configured for DHCP. See the section of Chapter 17 entitled "Integrating DHCP and DNS."
from Microsoft Windows 2000 Administrator's Pocket Consultant by William R. Stanek. Copyright © 1999 Microsoft Corporation.