Professional Documents
Culture Documents
06_CHAPTER_3_Deploying_DNS
06_CHAPTER_3_Deploying_DNS
06_CHAPTER_3_Deploying_DNS
C H A P T E R 3
Microsoft® Windows® Server 2003 Domain Name System (DNS) provides efficient name resolution and
interoperability with standards-based technologies. Deploying DNS in your client/server infrastructure
enables resources on a TCP/IP network to locate other resources on the network by using host name-to-IP
address resolution and IP address-to-host name resolution. The Active Directory® directory service requires
DNS for locating network resources.
In This Chapter
Overview of DNS Deployment..............................................................................................................114
Examining Your Current Environment..................................................................................................120
Designing a DNS Namespace................................................................................................................122
Designing a DNS Server Infrastructure.................................................................................................141
Designing DNS Zones............................................................................................................................147
Configuring and Managing DNS Clients...............................................................................................154
Securing Your DNS Infrastructure.........................................................................................................155
Integrating DNS with Other Windows Server 2003 Services................................................................164
Implementing Windows Server 2003 DNS............................................................................................168
Additional Resources.............................................................................................................................174
Related Information
For more information about DNS, the Windows Server 2003 DNS Server service,
and Windows Server 2003 DNS Client service, see the Networking Guide of the
Microsoft® Windows® Server 2003 Resource Kit (or see the Networking Guide on the
Web at http://www.microsoft.com/reskit).
114 Chapter 3 Deploying DNS
DNS Concepts
Windows Server 2003 DNS is based on Requests For Comments (RFCs) standards developed by the Internet
Engineering Task Force (IETF) and is therefore interoperable with other standards-compliant DNS
implementations. DNS uses a distributed database that implements a hierarchical naming system. This
naming system enables an organization to expand its presence on the Internet and enables the creation of
names that are unique both on the Internet and on private TCP/IP-based intranets.
By using DNS, any computer on the Internet can look up the name of any other computer in the Internet
namespace. Computers running Windows Server 2003 and Microsoft® Windows® 2000 also use DNS to
locate domain controllers and other servers running Active Directory.
DNS Roles
Deploying a DNS infrastructure involves design, implementation, and maintenance tasks. The individuals
who are responsible for these tasks include DNS designers and the DNS administrators. Before you begin
designing your DNS deployment, it is helpful to identify the individuals in your organization who are
responsible for these roles. Table 3.1 lists the responsibilities of the DNS designer and DNS administrator
roles.
Table 3.1 DNS Roles
Role Responsibility
DNS designer Designing the DNS namespace
Placing DNS servers and zones within the DNS
namespace
Creating a secure DNS infrastructure
Designing DNS integration with Active Directory
DNS administrator Deploying, configuring, and managing the DNS
infrastructure
Managing Active Directory integration
Important
You must plan your DNS namespace in conjunction with planning your
Active Directory logical structure. For more information about designing
the Active Directory logical structure, see “Designing the Active Directory
Logical Structure” in Designing and Deploying Directory and Security
Services of this kit.
but you do not want to redesign your DNS names. This enables you to deploy the
namespace. highest level of security by using the
simplest management techniques.
126 Chapter 3 Deploying DNS
Note
You can also use the same name for the internal domain and the
external domain. However, this method is not recommended. It creates
name resolution problems because it introduces DNS names that are not
unique. This method requires additional configuration to enable
optimized performance.
Select the configuration design option that best meets the needs of your organization. Table 3.3 lists the
design options for deploying a mixed internal and external namespace and the level of management
complexity for each option, along with an example to illustrate each option.
Table 3.3 Mixed Internal and External DNS Namespace Design Options
Management
Design Option Example
Complexity
The internal domain Easy to deploy and An organization with an
is a subdomain of administer. external namespace
the external domain. contoso.com uses the internal
namespace corp.contoso.com.
The internal and More complicated than An organization uses
external domain previous option. contoso.com for its external
names are different namespace, and corp.internal
from each other. for its internal namespace.
Implementing Windows Server 2003 DNS 127
Important
Do not reuse names that exist on the Internet in your internal
namespace. If you repeat Internet DNS names on your intranet, it can
result in name resolution errors.
If name resolution is required by computers that do not support software proxy, or by computers that support
only LATs, then you cannot use an internal root for your DNS namespace. In this case, you must configure
one or more internal DNS servers to forward queries that cannot be resolved locally to the Internet.
Table 3.4 lists the types of client proxy capabilities and whether you can use an internal DNS root for each
type.
Table 3.4 Client Proxy Capabilities
Microsoft Software with Can You Use
Forwards
Proxy Capability Corresponding Proxy an Internal
Queries
Capabilities Root?
No Proxy Generic Telnet
Local Address Winsock Proxy (WSP) 1.x
Table (LAT) and later
Microsoft® Internet Security
and Acceleration (ISA)
Server 2000 and later
Name Exclusion WSP 1.x and later
List Internet Security and
Acceleration (ISA) Server
2000 and later, and all
versions of Microsoft®
Internet Explorer
Proxy Auto- WSP 2.x, Internet Security
configuration and Acceleration Server
(PAC) File (ISA) Server 2000 and later,
Internet Explorer 3.01 and
later
If you want to reduce cross-domain DNS query traffic, configure the DNS servers
that host the DNS zones in the first and second namespaces to host secondary zones
for the DNS zones in each other’s namespaces. In this configuration, the DNS servers
that host the DNS zones in each namespace are aware of the DNS servers in the other
namespace. This solution requires increased storage space for hosting secondary
copies of zones in different namespaces, and generates increased zone transfer traffic.
If storage capacity on DNS servers is a consideration, configure the DNS servers that
host the DNS zones in one namespace to forward name resolution queries in a second
namespace to the DNS servers that are hosting the DNS zones for the second
namespace. Then configure the DNS servers that host the DNS zones in the second
namespace to forward name resolution queries in the first namespace to the DNS
servers that are hosting the DNS zones for the first namespace. You can use
Windows Server 2003 DNS conditional forwarders for this configuration.
You can also use Windows Server 2003 DNS stub zones to facilitate DNS data distribution between separate
namespaces. For more information about conditional forwarders and stub zones, see Help and Support Center
for Windows Server 2003 and the Networking Guide of the Windows Server 2003 Resource Kit (or see the
Networking Guide on the Web at http://www.microsoft.com/reskit).
Table 3.5 compares feature support in Windows Server 2003 DNS and other implementations of DNS.
Table 3.5 Feature Support in Different Implementations of DNS
Windows Windo Windo
BIN BIND BIND BIND
Feature Server 200 ws 200 ws NT
D9 8.2 8.1.2 4.9.7
3 0 4.0
Supports
RFC 2782: A DNS
RR for specifying
the location of
services (DNS
SRV)
Dynamic update
Secure dynamic
update based on
the GSS-
Transaction
signature (TSIG)
algorithm
WINS and
WINS-R records
Incremental zone
transfer
UTF-8 character
encoding
DNS MMC snap-
in
Dnscmd.exe
Active Directory–
integrated zones
Storage of zones
in the DNS
application
directory
partition
Aging and
scavenging of
obsolete records
Stub zones
Conditional
forwarding
132 Chapter 3 Deploying DNS
3. Register your DNS domain name with an Internet registrar, and supply the registrar
with the DNS name and IP address of at least one DNS server that is authoritative for
your DNS domain name. For a list of Internet registrars, see the ICANN link on the
Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
The Internet domain name registration process varies according to the design of your DNS namespace.
Table 3.6 lists the domain names that you need to register for each type of DNS namespace design.
Table 3.6 Internet DNS Domain Name Registration
Domain Name
Namespace Design Example
Registration
The internal domain Register only the external The domain name
name is a subdomain domain name. contoso.com is used for
of the external domain. the external namespace.
The domain name
corp.contoso.com is used
for the internal
namespace.
The internal and Register the external The domain name
external domain names domain name, and then, contoso.com is used for
are different from each if you want the internal the external namespace.
other. domain to be publicly The domain name
accessible, also register corp.contoso.com is used
the internal domain for the internal
name. namespace.
When you register your DNS domain name, the Internet registrar creates a delegation in the DNS zone that is
authoritative for the top-level domain that you selected. This is the top-level domain for the DNS servers that
are authoritative for your organization’s Internet DNS domain name.
134 Chapter 3 Deploying DNS
Note
If a domain name that you want to register is not available in one top-
level domain, such as .com, and you register the same domain name in
another top-level domain, such as .net, then people who are searching
for your domain name on the Internet might assume that computers and
services in the wrong top-level domain belong to your company.
Note
Windows Server 2003 DNS is configured to use UTF-8 name checking
by default.
If you are integrating or migrating an existing public DNS infrastructure that is connected to the Internet into
your existing DNS infrastructure, you do not need to make any changes to the DNS domain names of your
infrastructure.
Important
Names encoded in UTF-8 format must not exceed the limits defined in
RFC 2181: Clarifications to the DNS Specification, which specifies a
maximum of 63 octets per label and 255 octets per name.
Important
Windows Server 2003 and Windows 2000 DNS support NetBIOS and
UTF-8 characters for computer names. Other versions of DNS only
support the characters permitted in RFC 1123. Therefore, only use
NetBIOS and UTF-8 character sets when you are certain that Windows
Server 2003 or Windows 2000 DNS is the method used for name
resolution. Names that are intended to be visible on the Internet must
contain ASCII-only characters, as recommended in RFC 1123.
By default, multibyte UTF-8 name checking is used. This provides the greatest tolerance when the DNS
service processes characters. This is the preferred name-checking method for most DNS servers that are not
providing name resolution services for Internet hosts.
Creating Subdomains
If you are deploying DNS on a large enterprise network, or if you expect your network to expand to include
additional subnets and sites, consider distributing the management of portions of your DNS namespace to the
administrators for the different subnets and sites in your network. To distribute the management of your DNS
namespace, create subdomains of your initial DNS domain and delegate the authority for these subdomains
to DNS servers located on different subnets or sites. In this way, you can create any number of separate and
autonomous entities within a DNS namespace, each of which is authoritative for a portion of the overall
namespace.
The Contoso division and the Trey Research division each use a different method to support name resolution
for names in their namespace. The Contoso division uses the name contoso.com externally and
corp.contoso.com internally. The internal root servers host the root zone. Internal servers also host the zone,
corp.contoso.com. The name contoso.com is registered with an Internet name authority.
140 Chapter 3 Deploying DNS
To ensure that every client within the organization can resolve every name in the newly merged organization,
the private root zone contains a delegation to the zone for the top level of the merged organization’s internal
namespace, corp.treyresearch.com.
To resolve internal and external names, every DNS client must submit all queries to either the internal DNS
servers or to a proxy server. Figure 3.4 shows this configuration.
Figure 3.4 Name Resolution in the Contoso Division
Implementing Windows Server 2003 DNS 141
Based on this configuration, internal clients can query for names in the following ways:
Query internal DNS servers for internal names. The internal DNS servers resolve
the query. If a DNS server that receives a query does not contain the requested data in
its zones or cache, it uses root hints to contact the internal root DNS servers.
Query a proxy server for names on the Internet. The proxy server forwards the
query to DNS servers on the Internet. The DNS servers on the Internet resolve the
query.
Query internal DNS servers for names in the Trey Research division. Because
the root servers contain a delegation to the top level of the DNS namespace of the
Trey Research division, the internal DNS servers recursively resolve the query by
contacting the DNS servers in the Trey Research division.
External clients:
Cannot query for internal names. This limitation helps secure the internal network.
Query DNS servers on the Internet for names in the contoso.com external
namespace. The DNS servers on the Internet resolve the query.
The Trey Research division uses the name treyresearch.com externally and the name corp.treyresearch.com
internally. The server InternalDNS.treyresearch.com hosts the corp.treyresearch.com zone. The Trey
Research division does not have a private root.
To simplify management of clients and DNS servers, Trey Research division administrators decided to use
conditional forwarding. Administrators configured the DNS server InternalDNS.treyresearch.com to forward
queries in the following manner:
The server forwards all queries destined for the Contoso division to a DNS server for
the Contoso division. For example, the server forwards queries destined for
corp.contoso.com to InternalDNS.contoso.com.
At the same time, the server forwards all other queries destined for contoso.com to a
DNS server on the Internet.
142 Chapter 3 Deploying DNS
If you have an Internet presence, DNS must be working properly for Internet clients to access your Web
servers, send mail, and locate other services; therefore, it is recommended that you run a secondary DNS
server offsite. If you have a business relationship with an organization on the Internet, either business
partners or ISPs, they might agree to run a secondary server for you; however, ensure that the data on the
organization’s server is secured against Internet attackers.
To ensure that DNS is available if your offsite primary DNS servers are down, consider deploying a
secondary DNS server offsite.
For more information about how to place DNS servers to maximize Active Directory availability, see
“Designing the Active Directory Logical Structure” in Designing and Deploying Directory and Security
Services of this kit.
Using Forwarding
If a DNS server does not have the data to resolve a query in its cache or in its zone data, it forwards the query
to another DNS server, known as a forwarder. Forwarders are ordinary DNS servers and require no special
configuration; a DNS server is called a forwarder because it is the recipient of a query forwarded by another
DNS server.
Use forwarding for off-site or Internet traffic. For example, a branch office DNS server can forward all off-
site traffic to a forwarder at the company headquarters, and an internal DNS server can forward all Internet
traffic to a forwarder on the external network. To ensure fault tolerance, forward queries to more than one
forwarder.
Forwarders can increase network security by minimizing the list of DNS servers that communicate across a
firewall.
You can use conditional forwarding to more precisely control the name resolution process. Conditional
forwarding enables you to designate specific forwarders for specific DNS names. You can use conditional
forwarding to resolve the following:
Queries for names in off-site internal domains
Queries for names in other namespaces
When you use conditional forwarding, you can configure your DNS servers to forward queries to different
servers based on the domain name specified in the query. This eliminates steps in the forwarding chain and
reduces network traffic. When conditional forwarding is applied, the server in Site A can forward queries to
forwarders in Site B or Site C, as appropriate.
For example, the computers in the Seville site need to query computers in the Hong Kong site. Both sites use
a common DNS root server, DNS3.corp.fabrikam.com, located in Seville.
Before the Contoso Corporation upgraded to Windows Server 2003, the server in Seville forwarded all
queries that it could not resolve to its parent server, DNS1.corp.contoso.com, in Seattle. When the server in
Seville queried for names in the Hong Kong site, the server in Seville first forwarded those queries to Seattle.
After upgrading to Windows Server 2003, administrators configured the DNS server in Seville to forward
queries destined for the Hong Kong site directly to a server in that site, instead of first detouring to Seattle, as
shown in Figure 3.7.
Figure 3.7 Conditional Forwarding to an Off-Site Server
Primary Zones
Deploy primary zones that correspond to your planned DNS domain names. You cannot store both an Active
Directory–integrated and a file-based primary copy of the same zone on the same DNS server.
Secondary Zones
Add secondary zones if you do not have an Active Directory infrastructure. If you do have an Active
Directory infrastructure, use secondary zones on DNS servers that are not serving as domain controllers. A
secondary zone contains a complete copy of a zone. Therefore, use secondary zones to improve zone
availability at remote sites if you do not want zone data propagated across a WAN link by means of Active
Directory replication.
Stub Zones
A stub zone is a copy of a zone that contains only the original zone’s start of authority (SOA) resource
record, the name server (NS) resource records listing the authoritative servers for the zone, and the glue
address (A) resource records that are needed to identify these authoritative servers.
A DNS server that is hosting a stub zone is configured with the IP address of the authoritative server from
which it loads. DNS servers can use stub zones for both iterative and recursive queries. When a DNS server
hosting a stub zone receives a recursive query for a computer name in the zone to which the stub zone refers,
the DNS server uses the IP address to query the authoritative server, or, if the query is iterative, returns a
referral to the DNS servers listed in the stub zone.
Stub zones are updated at regular intervals, determined by the refresh interval of the SOA resource record for
the stub zone. When a DNS server loads a stub zone, it queries the zone’s primary servers for SOA resource
records, NS resource records at the zone’s root, and glue address (A) resource records. The DNS server
attempts to update its resource records at the end of the SOA resource record’s refresh interval. To update its
records, the DNS server queries the primary servers for the resource records listed earlier.
Implementing Windows Server 2003 DNS 151
Note
Only DNS servers running Windows Server 2003 and BIND 9 support
stub zones.
You can use stub zones to ensure that the DNS server that is authoritative for a parent zone automatically
receives updates about the DNS servers that are authoritative for a child zone. To do this, add the stub zone
to the server that is hosting the parent zone. Stub zones can be either file-based or Active Directory–
integrated. If you use Active Directory–integrated stub zones, you can configure them on one computer and
let Active Directory replication propagate them to other DNS servers running on domain controllers.
Although conditional forwarding is the recommended method for making your servers aware of other
namespaces, you can also use stub zones for this. For more information about using stub zones, see Help and
Support Center for Windows Server 2003.
Stub Zones and Conditional Forwarding
Stub zones and conditional forwarding are Windows Server 2003 DNS features that enable you to control the
routing of DNS traffic over a network. These features enable a DNS server to respond to a query by doing
one of the following:
Providing a referral to another DNS server.
Forwarding the query to another DNS server.
A stub zone enables a DNS server that is hosting a parent zone to be aware of the names and IP addresses of
DNS servers that are authoritative for a child zone, even if the DNS server does not have a complete copy of
the child zone. In addition, when a stub zone is used, the DNS server does not have to send queries to the
DNS root servers. If the stub zone for a child zone is hosted on the same DNS server as the parent zone, the
DNS server that is hosting the stub zone receives a list of all new authoritative DNS servers for the child
zone when it requests an update from the stub zone’s primary server. In this way, the DNS server that is
hosting the parent zone maintains a current list of the authoritative DNS servers for the child zone as the
authoritative DNS servers are added and removed.
Use conditional forwarding if you want DNS servers in one network to perform name resolution for DNS
clients in another network. You can configure DNS servers in separate networks to forward queries to each
other without querying DNS servers on the Internet. If DNS servers in separate networks forward DNS client
names to each other, the DNS servers cache this information. This enables you to create a direct point of
contact between DNS servers in each network and reduces the need for recursion.
If you are using a stub zone and you have a firewall between DNS servers in the networks, then DNS servers
on the query/resolution path must have port 53 open. However, if you are using conditional forwarding and
you have a firewall between DNS servers in each of the networks, the requirement to have port 53 open only
applies to the two DNS servers on either side of the firewall.
152 Chapter 3 Deploying DNS
In contrast, Active Directory–integrated zones that are stored in domain directory partitions are replicated to
all domain controllers in the domain. Storing Active Directory–integrated zones in an application directory
partition allows replication of DNS data to domain controllers anywhere in the same Active Directory forest.
When you are setting up your Active Directory environment and installing the first Windows Server 2003
domain controller in the forest, if you install DNS, two Windows Server 2003 DNS application directory
partitions are created by default. A forest-wide DNS application directory partition called ForestDNSZones
will be created, and for each domain in the forest, a domain-wide DNS application directory partition called
DomainDNS Zones will be created.
(continued)
156 Chapter 3 Deploying DNS
Table 3.8 Replication Options for Active Directory–Integrated Zone Data (continued)
Option Description When to Use
All domain The zone data replicates to You host an Active Directory–
controllers in all domain controllers in the integrated copy of this zone on a
the Active specified Active Directory DNS server running on a
Directory domain, whether or not the Windows 2000–based domain
domain DNS Server service runs on controller.
the domain controllers in the
domain.
All domain The zone data replicates to You want to customize zone
controllers all the domain controllers replication scope for your
specified in specified in the replication organization. With this option,
the scope of the DNS application you can minimize zone
replication directory partition. replication traffic while
scope of a maximizing functionality.
DNS However, this option requires
application more administrative overhead.
directory You can choose this option only
partition if all DNS servers hosting an
Active Directory–integrated
copy of this zone run Windows
Server 2003.
Figure 3.10 shows the process for securing your DNS infrastructure.
Figure 3.10 Securing Your DNS Infrastructure
160 Chapter 3 Deploying DNS
Redir
Footp
Denial-of-service
Data
rintin
attack
modificatio
ectio
Note
Windows Server 2003 DNS does not support the use of DACLs on zones
to control which clients or users can send queries to the DNS server.
Secure dynamic update is configured for all DNS zones except for the top-level and
root zones, which do not allow dynamic updates at all.
All DNS servers are running on domain controllers. An access control list (ACL) is
configured on the DNS Server service to allow only specific individuals to perform
administrative tasks on DNS servers.
All DNS zones are stored in Active Directory. An ACL is configured to allow only
specific individuals to create, delete, or modify DNS zones.
ACLs are configured on DNS resource records to allow only specific individuals to
create, delete, or modify DNS data.
Use one DNS server for publicly accessed services inside your perimeter network and a
separate DNS server for your private internal network. This reduces the risk of exposing
your private namespace, which can expose sensitive names and IP addresses to Internet-
based users. It also increases performance because it decreases the number of resource
records on the DNS server.
Add a secondary server on another subnet or network, or on an ISP. This protects you
against denial-of-service attacks.
Eliminate single points of failure by securing your routers and DNS servers, and
distributing your DNS servers geographically. Add secondary copies of your zones to
at least one offsite DNS server.
Encrypt zone replication traffic by using Internet Protocol security (IPSec) or virtual
private network (VPN) tunnels to hide the names and IP addresses from Internet-
based users.
Configure firewalls to enforce packet filtering for UDP and TCP port 53.
Restrict the list of DNS servers that are allowed to initiate a zone transfer on the DNS
server. Do this for each zone in your network.
Monitor the DNS logs and monitor your external DNS servers by using Event
Viewer.
Note
Use Active Directory–integrated zones whenever possible, because they
are replicated as part of Active Directory replication, which is more
secure than file-based zone transfer.
Note
For fault tolerance, you can specify multiple WINS servers in the WINS
lookup record. The server that is running the Windows 2000 or Windows
Server 2003 DNS Server service tries to locate the name by searching
the WINS servers in the order specified by the list.
Note
The WINS zone must be hosted on a DNS server that is running
Windows Server 2003 or Windows 2000 and must not be propagated to
third-party DNS servers. Third-party DNS servers do not support WINS
resource records and might not be able to host the zone.
Implementing Windows
Server 2003 DNS
After you have tested your configuration in a pilot lab, you can implement your changes in your production
environment. Figure 3.12 shows the process for implementing Windows Server 2003 DNS.
Figure 3.12 Implementing Windows Server 2003 DNS
172 Chapter 3 Deploying DNS
Implementing Windows Server 2003 DNS 173
Note
Converting any zone to an Active Directory–integrated zone can increase
the use of DNS server resources and network resources. This is
because converting a zone can trigger Active Directory replication.
Before or after you install Active Directory on the server, you can use the Add or
Remove Programs tool to install the DNS Server service and then run the Configure
DNS Server Wizard to configure your zones. As with the Active Directory
Installation Wizard, the Configure DNS Server Wizard creates the standard reverse
lookup zones recommended by the DNS RFCs, and either configures the server as a
root server or initializes the root hints.
You can use the command-line tool Dnscmd.exe to configure the DNS server.
You can use Microsoft® Visual Basic® Scripting Edition (VBScript) or other
scripting languages through the Windows Management Instrumentation (WMI)
provider packaged with Windows Server 2003.
For more information about these setup options and for information about Windows Server 2003 DNS,
including how the Active Directory Installation Wizard and the Configure DNS Server Wizard determine
whether or not to initialize the root hints, see the Networking Guide of the Windows Server 2003 Resource
Kit (or see the Networking Guide on the Web at www.microsoft.com/reskit).
Setting up Zones
If you install DNS by using the Active Directory Installation Wizard, the wizard creates DNS zones that
correspond to the Active Directory domains that you specify. If the zones that you specified during the zone
planning phase of your deployment do not already exist, create them now. Note that the default DNS
installation by the Active Directory Installation Wizard includes secure dynamic update and an Active
Directory–integrated zone. If this is not the configuration you want to deploy, change the default settings.
If the zone that the wizard creates is not the type of zone that you want, change it now.
If you want to push updates to secondary DNS servers for a zone, configure DNS notify at the primary
DNS server.
For more information about how to add and remove zones, see Help and Support Center for Windows
Server 2003.
Implementing Windows Server 2003 DNS 175
Configuring Forwarding
If any of your servers need to forward queries to any other server, configure forwarding on the servers that
must forward queries. If you want your server to forward queries to different servers depending on the DNS
suffix specified in the query, configure conditional forwarding appropriately.
For more information about conditional forwarding, see “Using Forwarding” earlier in this chapter, and see
the Networking Guide of the Windows Server 2003 Resource Kit (or see the Networking Guide on the Web at
http://www.microsoft.com/reskit).
Additional Resources
These resources contain additional information and tools related to this chapter.
Related Information
“Designing a Resource Authorization Strategy” in Designing and Deploying
Directory and Security Services of this kit for information about establishing security
policies.
“Designing the Active Directory Logical Structure” in Designing and Deploying
Directory and Security Services of this kit for information about how to deploy DNS
specifically for Active Directory.
“Deploying Security Policy” in Designing a Managed Environment of this kit for
more information about security policies.
“Designing an Authentication Strategy” in Designing and Deploying Directory and
Security Services of this kit.
“Deploying ISA Server” in this book for more information about perimeter networks.
“Deploying DHCP” in this book.
“Designing a Group Policy Infrastructure” in Designing a Managed Environment of
this kit.
The Networking Guide of the Windows Server 2003 Resource Kit (or see the
Networking Guide on the Web at http://www.microsoft.com/reskit) for more
information about the DNS Server service and DNS troubleshooting .
The Directory Services Guide of the Windows Server 2003 Resource Kit (or see the
Directory Services Guide on the Web at http://www.microsoft.com/reskit) for more
information, about Active Directory installation and removal.
RFC 1035: Domain Names — Implementation and Specification.
DNS and BIND, 4th ed., by Paul Albitz and Cricket Liu, 2001, Sebastopol, CA:
O’Reilly & Associates for more information about DNS.
Windows 2000 TCP/IP Protocols and Services, by Thomas Lee and Joseph Davies,
2000, Redmond, Washington: Microsoft Press for more information about the DNS
wire protocol.
The Internet Engineering Task Force (IETF) link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information about
Request for Comments (RFC) documents and IETF Internet-Drafts.
Implementing Windows Server 2003 DNS 179
Related Tools
For information about installing and using the Windows Server 2003 Support Tools and Support Tools Help,
see the file Sreadme.doc in the \Support\Tools folder of the Windows Server 2003 operating system CD.
Dnscmd.exe
You can use the Dnscmd.exe command-line tool to perform most of the tasks that you can
perform from the DNS MMC snap-in.
DNSLint
DNSLint is a command-line tool that you can use to address some common DNS name
resolution issues, such as lame delegation, DNS record verification, and verifying DNS
records that are used for Active Directory replication.
Netdiag.exe
Netdiag.exe helps you to isolate networking and connectivity problems by performing a
series of tests to determine the state of your network client and whether it is functional.
Nslookup.exe
You can use the Nslookup.exe command-line tool to submit DNS queries and display the
results of the queries.
Related Help Topics
For best results in identifying Help topics by title, in Help and Support Center, under the Search box, click
Set search options. Under Help Topics, select the Search in title only checkbox.
“Migrating servers” in Help and Support Center for Windows Server 2003 for
information about upgrading your existing DNS servers or migrating third-party DNS
servers.
“Monitor servers” in Help and Support Center for Windows Server 2003 for more
information about testing DNS server performance.
“Initiate a zone transfer at a secondary server” in Help and Support Center for
Windows Server 2003 for more information about using zone transfer.
“Dynamic update” in Help and Support Center for Windows Server 2003 for
information about how to configure dynamic updates.
“Allow only secure dynamic updates” in Help and Support Center for Windows
Server 2003 for information about how to allow only secure dynamic updates.
“Configuring DNS client settings” in Help and Support Center for Windows
Server 2003 for more information about how to install and configure DNS clients.