Active Directory domains require DNS servers in order to enable all domain members to
resolve the names of computers and services. In most Windows networks, in fact, DNS servers
are hosted on the Active Directory domain controllers themselves. Deploying a new DNS
server in such a case requires very little administrative expertise, but you still need to know
how to customize a DNS deployment to meet the particular needs of your organization.
This lesson introduces you to DNS server deployment and configuration. Whereas the topic of
creating and configuring zones is covered in Chapter 3, “Configuring a DNS Zone Infrastructure,”
this lesson focuses on configuring server-wide properties and features.
After this lesson, you will be able to:
■ Deploy a DNS server on a new Active Directory domain controller
■ Deploy a DNS server on a computer that is not a domain controller
■ Deploy a DNS server on a Server Core installation of Windows Server 2008
■ Configure DNS server properties
■ Understand when to configure DNS forwarding
Estimated lesson time: 60 minutes
Deploying a DNS Server on a Domain Controller
Active Directory Domain Services (AD DS), which provides the unified management structure
for all accounts and resources in a Windows network, is tightly integrated with DNS. In Active
Directory, DNS is required for locating resources like domain controllers, and DNS zone data
can optionally be stored within the Active Directory database.
When you deploy a DNS server within an Active Directory domain, you typically do so on a
domain controller. Deploying DNS servers on domain controllers enables the zone to benefit
from additional features, such as secure dynamic updates and Active Directory replication
among multiple DNS servers. The best way to deploy a DNS server on a domain controller, in
turn, is to install it at the same time as you install the domain controller.
To promote a server to a domain controller for a new or existing domain, run Dcpromo.exe.
This program first installs the AD DS binaries (the data elements common to all Active
Directory domains) and then launches the AD DS Installation Wizard. The wizard prompts
you for the name of the Active Directory domain, such as Fabrikam.com, for which you are
installing the domain controller. The name you give to the Active Directory domain then
becomes the name of the associated DNS zone. This page in the AD DS Installation Wizard
is shown in Figure 2-10.
122 Chapter 2 Configuring Name Resolution
Figure 2-10 The Active Directory domain name becomes a DNS zone name
NOTE What is the Active Directory Domain Services server role?
Installing the AD DS binaries can require up to five minutes, and because of this time requirement
you might prefer to install the AD DS binaries as a separate step before running Dcpromo. To do so,
use the Add Roles Wizard to add the Active Directory Domain Services server role. Note that this
server role does not provide any functionality until you run Dcpromo.
Later in the wizard you are given an opportunity to install a DNS server on the same domain
controller. This option is selected by default, as shown in Figure 2-11.
If you do choose to install a DNS Server along with the new domain controller, the DNS server
and the hosted forward lookup zone will automatically be configured for you. You can review
or manage these settings in DNS Manager, as shown in Figure 2-12, after the AD DS Installation
Wizard completes. To open DNS Manager, click Start, point to Administrative Tools, and
then choose DNS.
Lesson 2: Deploying a DNS Server 123
Figure 2-11 Installing a DNS server along with an Active Directory domain controller
Figure 2-12 Dcpromo can automatically configure a locally hosted DNS server with a forward
lookup zone for the domain
■ What is the main function of Dcpromo?
Quick Check Answer
■ It is used to promote a server to a domain controller.
124 Chapter 2 Configuring Name Resolution
Deploying a DNS Server on a Stand-alone or Member Server
Your name resolution infrastructure might require you to install a DNS server on a stand-alone
server or on a member server in an Active Directory domain. In this case you will need to
install a DNS server without using Dcpromo.
To install a DNS server, use the Add Roles Wizard available in Server Manager or the Initial
Configuration Tasks window. Then, in the wizard, select the DNS Server role (as shown in
Figure 2-13) and follow the prompts.
Figure 2-13 Installing a DNS server without AD DS
Installing the DNS server separately from AD DS requires you to configure the DNS server
manually afterward. The main task in configuring a DNS server manually is to add and configure
one or more forward lookup zones. To add a forward lookup zone, right-click the Forward
Lookup Zones folder in the DNS Manager console tree, and then choose New Zone, as
shown in Figure 2-14.
For more information about creating, configuring, and managing DNS zones, see Chapter 3,
“Configuring a DNS Zone Infrastructure.”
Lesson 2: Deploying a DNS Server 125
Figure 2-14 Adding a New Zone
Deploying a DNS Server on a Server Core Installation of Windows
You can install a DNS server on a Server Core installation of Windows Server 2008 along with
AD DS by using Dcpromo, in which case the DNS server can be installed and configured automatically.
You also have the option of installing the DNS server as a stand-alone or member
To install a DNS server along with a domain controller on a Server Core installation, use
Dcpromo. However, no wizard is available to facilitate the process. You must specify an answer
file with the Dcpromo command.
To install the Active Directory Domain Services role on a Server Core installation, at the command
prompt type dcpromo /unattend:<unattendfile>, where unattendfile is the name of a
Dcpromo.exe unattend or answer file.
You can create the Dcpromo answer file by running Dcpromo on another computer that is running
a full installation of Windows Server 2008. On the last (Summary) page of the wizard,
before the installation is actually performed, you are given an opportunity to export settings to
an answer file, as shown in Figure 2-15. You can then cancel out of the wizard and use the
answer file with Dcpromo on the Server Core installation.
126 Chapter 2 Configuring Name Resolution
Figure 2-15 Creating an answer file for Dcpromo
If you want to install a DNS server on a stand-alone or member server running a Server Core
installation of Windows Server 2008, type the following command:
start /w ocsetup DNS-Server-Core-Role
To remove the role, type the following:
start /w ocsetup DNS-Server-Core-Role /uninstall
After you have installed the DNS server on a Server Core installation, whether by using
Dcpromo or the Start /w ocsetup command, you can configure and manage the server by connecting
to it through DNS Manager on another computer.
To connect to another server from DNS Manager, right-click the root (server name) icon in the
DNS Manager console tree, and then choose Connect To DNS Server, as shown in Figure 2-16.
Lesson 2: Deploying a DNS Server 127
Figure 2-16 Using DNS Manager on a full installation to manage a DNS server installed on a Server
Configuring a Caching-only DNS Server
All DNS servers include a cache of query responses. Although a DNS server initially contains
no cached information, cached information is obtained over time as client requests are serviced.
When a client queries a DNS server with a name resolution request, the DNS server first
checks its cache to see if it already has the answer stored. If the server can respond with information
from resource records found in the local cache, the server response to the client is
Cached records stay alive in the server cache until they exceed their TTL value, until the the
DNS Server service is restarted, or until the cache is cleared manually.
Caching-only servers do not host any zones and are not authoritative for any particular domain.
However, the mere availability of a DNS server cache that is shared by clients can be useful in
certain network scenarios.
128 Chapter 2 Configuring Name Resolution
For example, if your network includes a branch office with a slow wide area network (WAN)
link between sites, a caching-only server can improve name resolution response times
because after the cache is built, traffic across the WAN link decreases. DNS queries are
resolved faster, which can improve the performance of network applications and other features.
In addition, the caching-only server does not perform zone transfers, which can also
be network-intensive in WAN environments. In general, a caching-only DNS server can be
valuable at a site where DNS functionality is needed locally but where administering
domains or zones is not desirable.
Exam Tip You can use a caching-only server when you want to improve name resolution for a
branch office that has little technical expertise on its local staff. For example, if the headquarters for
Contoso.com is in New York and a branch office is in Albany, you might not want to host a copy of
the Contoso.com zone at the Albany office because managing that zone would require too much
technical expertise. However, a caching-only server, which requires no technical expertise to maintain,
would allow users in the Albany office to channel their DNS queries through a single server
and create a large pool of cached queries. Repeated queries could then be resolved from the local
server cache instead of through queries across the Internet, thereby improving response times.
By default, the DNS Server service acts as a caching-only server. Caching-only servers thus
require little or no configuration.
To install a caching-only DNS server, complete the following steps:
1. Install the DNS server role on the server computer.
2. Do not create any zones.
3. Verify that server root hints are configured or updated correctly.
Configuring Server Properties
The DNS server properties dialog box allows you to configure settings that apply to the DNS
server and all its hosted zones. You can access this dialog box in DNS Manager by right-clicking
the icon of the DNS server you want to configure and then choosing Properties.
The Interfaces tab allows you to specify which of the local computer’s IP addresses the DNS
server should listen to for DNS requests. For example, if your server is multihomed (has more
than one network adapter) and uses specific addresses for the local network and others for the
Internet connection, you can prevent the DNS server from servicing DNS queries from the
public interface. To perform this task, specify that the DNS server listen only on the computer’s
internal IP addresses, as shown in Figure 2-17.
Lesson 2: Deploying a DNS Server 129
By default, the setting on this tab specifies that the DNS server listens on all IP addresses associated
with the local computer.
Figure 2-17 You can configure a multihomed DNS server to provide service to one network only. In
this figure, the selected addresses are all associated with the same network adapter.
Root Hints Tab
The Root Hints tab contains a copy of the information found in the WINDOWS\System32
\Dns\Cache.dns file. For DNS servers answering queries for Internet names, this information
does not need to be modified. However, when you are configuring a root DNS server (named
“.”) for a private network, you should delete the entire Cache.dns file. (When your DNS server
is hosting a root server, the Root Hints tab is unavailable.)
In addition, if you are configuring a DNS server within a large private namespace, you can use
this tab to delete the Internet root servers and specify the root servers in your network instead.
NOTE Updating the root servers list
Every few years the list of root servers on the Internet is slightly modified. Because the Cache.dns
file already contains so many possible root servers to contact, it is not necessary to modify the root
hints file as soon as these changes occur. However, if you do learn of the availability of new root
servers, you can choose to update your root hints accordingly. As of this writing, the last update to
the root servers list was made on November 1, 2007. You can download the latest version of the
named cache file from InterNIC at ftp://rs.internic.net/domain/named.cache.
130 Chapter 2 Configuring Name Resolution
Figure 2-18 shows the Root Hints tab.
Figure 2-18 Root Hints tab
The Forwarders tab allows you to configure the local DNS server to forward DNS queries it
receives to upstream DNS servers, called forwarders. Using this tab, you can specify the IP
addresses of upstream DNS servers to which queries should be directed if the local DNS server
cannot provide a response through its cache or zone data. For example, in Figure 2-19 all queries
that cannot be resolved by the local server will be forwarded to the DNS server
192.168.2.200. When, after receiving and forwarding a query from an internal client, the local
forwarding server receives a query response from 192.168.2.200, the local forwarding server
passes this query response back to the original querying client.
In all cases, a DNS server that is configured for forwarding uses forwards only after it has determined
that it cannot resolve a query using its authoritative data (primary or secondary zone
data) or cached data.
Lesson 2: Deploying a DNS Server 131
Figure 2-19 Forwarders tab
When to Use Forwarders In some cases network administrators might not want DNS servers
to communicate directly with external servers. For example, if your organization is connected
to the Internet through a slow link, you can optimize name resolution performance by
channeling all DNS queries through one forwarder, as shown in Figure 2-20. Through this
method, the server cache of the DNS forwarder has the maximum potential to grow and
reduce the need for external queries.
Another common use of forwarding is to allow DNS clients and servers inside a firewall to
resolve external names securely. When an internal DNS server or client communicates with
external DNS servers by making iterative queries, the ports used for DNS communication with
all external servers must normally be left open to the outside world through the firewall. However,
by configuring a DNS server inside a firewall to forward external queries to a single DNS
forwarder outside your firewall and by then opening ports only for this one forwarder, you can
resolve names without exposing your network to outside servers. Figure 2-21 illustrates this
132 Chapter 2 Configuring Name Resolution
Figure 2-20 Using forwarding to consolidate caching
Figure 2-21 Secure iteration with forwarders
Forwarding DNS server
(forwards to 192.168.0.1)
Forwarding DNS server
(forwards to 192.168.0.1)
Forwarding DNS server
(forwards to 192.168.0.1)
Lesson 2: Deploying a DNS Server 133
Finally, a third use of DNS forwarders is within an Active Directory forest hierarchy. When you
have an Active Directory forest with multiple domains, DNS delegations naturally enable client
queries within parent domains to resolve the names of resources in child (sub) domains. However,
without forwarding there is no built-in mechanism that allows clients in child domains to
resolve queries for names in parent domains. To enable this necessary functionality, DNS servers
in the child domains of multidomain forests are typically configured to forward unresolved
queries to the forest root domain DNS server or servers, as shown in Figure 2-22.
Forwarding to the root domain DNS servers in an organization in this way enables client queries
originating in child domains to resolve names of resources not only in the root domain,
but also in all the domains in the forest.
Figure 2-22 Forwarding queries within an Active Directory forest
When to Use Conditional Forwarding The term conditional forwarding describes a DNS
server configuration in which queries for specific domains are forwarded to specific DNS servers.
One of the many scenarios in which conditional forwarding is useful is when two separate networks
merge. For example, suppose the Contoso and Fabrikam companies have separate networks
with Active Directory domains. After the two companies merge, a 128-Kbps leased line
134 Chapter 2 Configuring Name Resolution
is used to connect the private networks. For clients in each company to resolve queries for
names in the opposite network, conditional forwarding is configured on the DNS servers in
both domains. Queries to resolve names in the opposite domain will be forwarded to the DNS
server in that domain. All Internet queries are forwarded to the next DNS server upstream
beyond the firewall. This scenario is depicted in Figure 2-23.
Note that conditional forwarding is not the only way to provide name resolution in this type
of merger scenario. You can also configure secondary zones and stub zones, which are
described in Chapter 3, “Configuring a DNS Zone Infrastructure.” These zone types provide
basically the same name resolution service that conditional forwarding does. However, conditional
forwarding minimizes zone transfer traffic, provides zone data that is always up-to-date,
and allows for simple configuration and maintenance.
Figure 2-23 A conditional forwarding scenario
To configure conditional forwarding for a domain, you do not use the DNS server properties
dialog box. You use the Conditional Forwarders container in the DNS Manager console tree.
To add a conditional forwarder, right-click the Conditional Forwarder container, and then
choose New Conditional Forwarder, as shown in Figure 2-24.
Then, in the New Conditional Forwarder dialog box that opens, specify the domain name for
which DNS queries should be forwarded along with the address of the associated DNS server.
The New Conditional Forwarder dialog box is shown in Figure 2-25.
DNS at ISP
All other external queries
All other external queries
Queries for fabrikam.com
Queries for contoso.com
Lesson 2: Deploying a DNS Server 135
Figure 2-24 Adding a conditional forwarder
Figure 2-25 The New Conditional Forwarder dialog box
Exam Tip You will almost certainly see a question about conditional forwarding on the 70-642
exam. Understand its purpose and scenarios in which it might be useful.