Windows Server 2003 : Building a Nameserver (part 1) - Enabling Incremental Transfers, Entering A Records into a Zone, Entering and Editing SOA Records

Nameservers need a constant connection to the Internet and a non-changing IP, either set statically on the server itself or delivered consistently through a DHCP reservation. The machine you're building out as a nameserver doesn't need to be that powerful; a fast Pentium III machine with 512 MB or so of RAM will be more than sufficient.

In the following examples, I will use the fictitious domain name hasselltech.net, with the also fictitious machine name colossus and IP address 192.168.0.5. You can, of course, replace these as appropriate when following along with your own computer.

The first step is to install the nameserver software onto your Windows Server 2003 computer. To do so, follow these steps:

1. Open Add/Remove Programs inside the Control Panel.

2. Click the Add/Remove Windows Components button on the left side of the window.

3. Select Network Services in the list box, and then click the Details button.

4. Check the Domain Name System (DNS) checkbox, and click OK to return to the previous screen.

5. Click Next to proceed with the DNS software installation.

6. Click Finish, and then Close, to finish the procedure.

If you have your computer set up to receive an IP address via DHCP, the nameserver installation will complain loudly that DNS isn't intended to work on dynamically assigned IP addresses. For this example, click OK three times to acknowledge these warnings. As mentioned previously, make sure nameservers have a consistent, unchanging IP address.

Next, point your new nameserver to itself for name resolution so that when you run tests, you're not querying your ISP's nameservers. In fact, most nameservers point to themselves, rather than to other nameservers, for name resolution. I recommend setting this through the command line using the netshcommand, like so:

netsh int ip set dns "Local Area Connection" static 192.168.0.5 primary

You can replace Local Area Connectionwith the name, as appearing in your network connection properties, of your network connection. Also, replace 192.168.0.5with the local nameserver's IP.

Of course, you also can change the nameservers to use for name resolution through the Windows interface by following these steps:

1. Inside the Control Panel, double-click the Network Connections applet.

2. Inside the Network Connection dialog box, right-click the name of your network connection and choose Properties from the context menu.

3. Navigate to the General tab, and then select Internet Protocol (TCP/IP).

4. Click the Properties button.

5. Click the Use the following DNS server address radio button, and then enter the nameserver's IP address into the box.

6. Click OK.

Now that the DNS server software is installed, you need to start the DNS service. Select Start, then click Administrative Tools and select DNS. The DNS Management Snap-in will appear, as shown in Figure 1(although it will not have all of the forest lookup zones shown in the figure).

Figure 1. The DNS Management Snap-in

At this point, you have a functional nameserver, which performs "caching-only" functions—that is, it doesn't hold any DNS information unique to itself, but it does know how to contact the 13 root servers as held by ICANN, the master of DNS on the Internet, and it can resolve Internet addresses by contacting them. Windows Server 2003's DNS software knows how to do this by default, without any configuration on your part.

1. Enabling Incremental Transfers

Windows Server 2003's DNS component is compliant with RFC 1995 and can do incremental transfers (known as IXFRs in DNS parlance) with other Windows 2000 or Windows Server 2003 servers supporting the feature. It also still can do the old-style full zone transfers, referred to as AXFRs, with noncompliant nameservers and with non-Windows 2000 or non-Windows Server 2003 machines. There is not a way to instruct Windows Server 2003 to always send full zone files to all servers, regardless of whether they are compliant. You can, however, tell Windows to send incremental zone transfers to all supporting servers, regardless of whether they run Windows 2000 or Windows Server 2003. Here's how:

1. Open the DNS Management snap-in.

2. Right-click your server and select Properties from the context menu.

3. Navigate to the Advanced tab, and un check the box labeled BIND Secondaries.

4. Click OK to finish.

Now the server will use incremental zone transfers to all supporting servers, not just to those running Windows 2000 or Windows Server 2003.

2. Creating a Forward Lookup Zone

Now, to further configure your server, let's create a forward lookup zone file. Inside the DNS snap-in, expand the server name in the lefthand pane. Then do the following:

1. Right-click Forward Lookup Zones and select New Zone. The New Zone Wizard appears.

2. Choose Primary Zone, and then click Next.

3. Enter the zone name. In this example, I'll use hasselltech.net. Click Next to continue.

4. Enter a name for the new zone file, which is stored in ASCII format. The default name is your domain with .dns appended to the end—hasselltech.net.dns, for example. The zone files are stored in %SystemRoot%\system32\dns. Click Next.

5. On the Dynamic Update screen, choose to allow both insecure and secure dynamic updates. I'll discuss dynamic DNS updating in a later section. Click Next.

6. Click Finish to complete the zone creation process.

The hasselltech.net zone has now been created.

3. Entering A Records into a Zone

Inside the DNS snap-in, right-click the hasselltech.net node in the lefthand pane and choose New Host (A) from the context menu. The New Host dialog box appears, as shown in Figure 2.

Figure 2. Entering a new A record

Enter the hostname of the machine for which you're entering the record, and then enter the IP address of the machine. As you enter the hostname, the fully qualified domain name (FQDN) will adjust to show the full hostname, including the domain, to check your work. You also can check the Create associated pointer (PTR) record checkbox, which enters a PTR record into the reverse lookup zone, if one is currently configured. (If none is set up, the process will throw an error.) Click OK.

4. Controlling Round-Robin Balancing

You can enable or disable round-robin DNS balancing using the nameserver's Advanced Properties screen, which you'll find by right-clicking the nameserver name in the DNS Management snap-in's lefthand pane and selecting Properties from the context menu. Figure 3 shows this screen, on the Advanced tab of the Properties sheet.

Figure 3. Advanced properties of a DNS server

Check Enable round robin in the Server options box to enable round robin, and uncheck it to disable it.

DNS round-robin functionality is enabled on a per-server level, not on a per-zone level.

Also, if you want to turn off the subnet mask ordering feature, on the Advanced Properties screen shown in Figure 3 uncheck Enable netmask ordering in the Server options box.

5. Entering and Editing SOA Records

A default SOA record is created when you create a new zone in Windows Server 2003. To modify an SOA record, double-click it in the DNS Management snap-in. The screen will look something like Figure 4.

Figure 4. SOA record properties for a zone

Here are descriptions of the various fields on this tab:

Serial number

The serial number indicates whether the SOA record has changed since the last update on the part of a nonauthoritative nameserver. If you want to change this number, click the Increment button; you can't simply edit the field.

Primary server

This field denotes the primary, authoritative nameserver for this zone.

Responsible person

This field indicates the administrator responsible for configuring and editing this zone. This is the administrator's email address, but with a period in place of the normal at sign (@) and a period appended to the end of the string. For example, if your administrator is hostmaster@hasselltech.net, in this field you would enter hostmaster.hasselltech.net.

Refresh interval

The refresh interval indicates to secondary nameservers how long they can keep their copies of the zones before being required to request a refresh.

Retry interval

The retry interval indicates how long the secondary nameserver must wait before attempting to contact the authoritative nameserver again after a failed attempt to refresh its zone after the refresh interval has lapsed.

Expires after

This value essentially indicates how long a zone file is valid for use in production environments. It dictates how long a secondary nameserver will continue attempting a zone transfer from its primary nameserver. When this expiration date is reached, the zone on the secondary nameserver expires and that server stops responding to queries.

Minimum (default) TTL

This value indicates to other nameservers how long they can use information they've previously retrieved from this nameserver before being required to consult the authoritative server again for updated or refreshed information. This is, by default, 60 minutes. You also can set TTL values for individual records that override this minimum default setting for a zone.

TTL for this record

This value overrides the minimum (default) TTL as described earlier and is limited to only this SOA record.