Windows Server 2003 : Building a Nameserver (part 3) - Configuring a Secondary Nameserver, Upgrading a Secondary Nameserver to Primary, Controlling the Zone Transfer Process

11. Configuring a Secondary Nameserver

In this section, I'll cover creating a secondary nameserver to serve a zone. Some preliminary steps are in order, though: first, the machine should be running Windows Server 2003, and it should have the DNS service installed, as I mentioned before. The machine's network connection should be configured so that its preferred nameserver is itself. (Also, for the purposes of this section, the secondary nameserver will be called ns2.hasselltech.net at IP address 192.168.0.6.)

To proceed:

1. Open the DNS Management MMC snap-in.

2. Right-click Forward Lookup Zones and select New Zone from the context menu. The New Zone Wizard will appear; click Next to skip the introductory screen.

3. Choose Secondary to create a secondary lookup zone, which will indicate to Windows that this should be a secondary nameserver. Click Next.

4. Enter the name of an existing zone on the Zone Name screen, and click Next.

5. Specify the nameservers from which Windows can fetch the existing zone files. Simply enter the primary nameserver in the box, click Add, and then click Next, as shown in Figure 10.

6. Click Finish to create the zone.

Figure 10. Specifying a primary DNS server for a secondary DNS zone

12. Upgrading a Secondary Nameserver to Primary

Perhaps you decide, upon acquiring a new business into your organization, that you need more horsepower in responding to DNS queries. Or perhaps eventually you'd like to cluster your DNS servers. In these cases, you would want to promote some secondary nameservers to primary status. It's an easy process to promote an existing secondary nameserver to a primary nameserver.

1. Open the DNS Management snap-in.

2. Right-click the zone folder that you want to convert, and select Properties from the context menu.

3. Navigate to the General tab, as shown in Figure 11.

   Figure 11. Promoting a DNS server

   

4. To the right of the Type entry—it should now say either Primary or Secondary—click the Change button. The Change Zone Type screen will appear, as shown in Figure 12.

   Figure 12. Changing a server from primary to secondary

   

5. Click the Primary zone radio button to perform the promotion.

6. Click OK.

The server will now be a primary server for that zone.

13. Manually Editing Zone Files

All zone files are stored in %SystemRoot%\system32\dns. The files are stored in the format <domain>.dns (e.g., hasselltech.net.dns). You can edit them with your favorite text editor or with a script that you can write to perform large-scale and/or automated machine rollouts.

When you directly edit zone files, make sure you manually increment the serial number value in the zone's SOA record. You can increment by any value. Otherwise, the changes are likely to be missed by any secondary nameservers during a zone transfer.

14. Controlling the Zone Transfer Process

For obvious reasons, you'll find it necessary to control which machines can perform a zone transfer from nameservers—after all, users at large on the Internet have no legitimate need to retrieve a full copy of your zones, and having a full record of your connected machines is a huge security breach. Unfortunately, Microsoft didn't lock down this process, so by default your Windows Server 2003 nameserver will transfer its zone files to any machine upon request. This is locked down, however, in Service Pack 1.

To lock this down, open the DNS Management snap-in and expand the nameserver's name. Find a zone under Forward Lookup Zones, right-click it, and choose Properties. Click over to the Zone Transfers tab. You'll see the screen depicted in Figure 13.

You see that you can disallow zone transfers wholesale by unchecking the box labeled Allow zone transfers. However, if you choose to enable them to have secondary nameservers, you can lock down the access to those zone files a bit more granularly. The first option, To any server, leaves the transfer process wide open—this is the default setting on machines that haven't been upgraded to Service Pack 1. The second option, Only to servers listed on the Name Servers tab, seems to be the most reasonable option by restricting transfer to the servers identified as authoritative for the domain on that tab. The third option, Only to the following servers, can lock down that list even further. Simply select the option, enter an IP address into the box, and click Add when you're done. Make the list as long or short as it needs to be, and then finish the process by clicking OK.

Figure 13. Controlling zone transfers

Windows Server 2003 also supports a feature listed in RFC 1996 known as zone modification notification, which nearly contradicts what I wrote earlier about the zone transfer process being primarily a pull, rather than a push, process. Click the Notify button on the Zone Transfer tab to explore this feature; you'll be greeted with the screen in Figure 14.

The notification feature will contact the servers listed on this Notify screen when changes are made to the zone file on the primary nameserver. You can have the server contact the authoritative nameservers for a zone or domain as listed on the Name Servers tab, or contact only the servers in the list that you create on this screen. (To create this list, simply enter an IP address and click Add. Repeat as necessary to build the list.) Click OK when you've configured or disabled this feature as you wish.

Figure 14. Notify dialog screen