Home > Articles > Microsoft > MCSE

This chapter is from the book

Managing DNS

After DNS is installed, it can be managed using the DNS management console. Management tasks include configuring zone settings, creating and managing resource records, and monitoring the status and performance of DNS. The following sections discuss some of the common management tasks associated with DNS.

Managing DNS Zone Settings

After a zone has been successfully added to your DNS server, you can configure it via the zone's Properties dialog box. To do so, right-click the zone from within the DNS management console and click Properties. The Properties dialog box for the zone displays six tabs, as shown in Figure 3.7. If Active Directory is not installed, only five tabs are available (the Security tab is not present).

Figure 3.7Figure 3.7 You can configure a zone through its Properties dialog box.

The following list summarizes each of the tabs for a DNS zone's properties:

  • General—View the status of the zone, change the type of zone, change the zone filename, change the replication scope for a zone, and configure dynamic updates. You can also set the aging and scavenging properties for the zone.

  • Start of Authority (SOA)—Configure the zone transfer information and the email address of the zone administrator. The serial number is used to determine whether a zone transfer is required. Each time a change is made this number is incremented by 1. By using the Increment button, you can increase the value, thereby forcing a zone transfer.

  • Name Servers—Specify the list of secondary servers that should be notified when changes to the zone file occur.

  • WINS—Enable the DNS server to query the list of WINS servers for name resolution.

  • Zone Transfers—Configure which secondary servers can receive zone transfers. You can specify any server, only those listed on the Name Servers tab, or the ones configured from this property sheet. Clicking the Notify button enables you to configure which secondary servers will be notified of changes.

  • Security—If the zone is Active Directory integrated, the Security tab is available and can be used to configure permissions to the zone file. This is where you can control who can perform dynamic updates.

Changing Zone Types

Using the General tab from the Zone Properties dialog box, you can change the current zone type (see Figure 3.8). To do so, click the Change button beside the zone type. You have the option of changing a primary or secondary zone to an Active Directory–integrated zone or changing an Active Directory–integrated zone to a primary zone or secondary zone.

Before you attempt to change the zone type, be aware of the following points:

  • The option to store zone information within Active Directory is available only when the DNS server is also configured as a domain controller.

  • If you convert to a secondary zone or a stub zone, you must specify the IP address of the server from which the zone information will be retrieved.

  • Changing a secondary zone to a primary zone affects such things as dynamic updates, the use of the DNS Notify option, and zone transfers.

  • When the option to store information within Active Directory is cleared, zone information is deleted from Active Directory and copied into a text file on the local DNS server in the %systemeroot%/system32/DNS folder.

  • Because the purpose of a stub zone is to maintain information about only authoritative name servers for the zone, it is not recommended that a stub zone be converted to a primary zone because primary zones can contain a number of other records rather than just those for authoritative name servers.

Figure 3.8Figure 3.8 You can change the zone type via a zone's Properties dialog box.

Dynamic Updates

Windows 2003 Server, Windows XP, and Windows 2000 clients can interact directly with a DNS server. With dynamic updates, clients can automatically register their own resource records with a DNS server and update them as changes occur. Resource records are the entries within the DNS server database files. Each resource record contains information about a specific machine, such as the IP address or specific network services running. The type of information within a resource record depends upon the type of resource record that is created. For example, an A (address) record contains the IP address associated with a specific computer; it's used to map a hostname to an IP address.

Dynamic updates greatly reduce the administration associated with maintaining resource records. Dynamic updates eliminate the need for administrators to manually update these records. In terms of DHCP, with a short lease duration configured, the IP address assigned to DNS clients can change frequently. If dynamic updates are not enabled, an administrator can end up spending a lot of time updating zone information. In addition, there is always the chance for human error when done manually.

Dynamic updates provide the following advantages:

  • DHCP servers can dynamically register records for clients. This is particularly important because DHCP servers can perform updates on behalf of clients that do not support dynamic updates, such as Windows 95, 98, or NT4 clients.

  • The administrative overhead is reduced because A records and PTR records can be dynamically updated by Windows DNS clients that support this option.

  • The SRV records required to locate domain controllers can be dynamically registered.

CAUTION

To implement dynamic updates on a network with pre–Windows 2000 clients, a DHCP server and a DNS server are required on the network. The DHCP and DNS servers must be running Windows Server 2003 or Windows 2000 because Windows NT 4.0 DNS servers don't support dynamic updates. A DHCP server is required to perform dynamic updates on behalf of clients that do not support this feature, such as Windows 95 clients.

By default, any Windows Server 2003, Windows XP, or Windows 2000 client can update its own records with the DNS server. The DHCP client service attempts to update records with the DNS server when any of the following events occur:

  • The workstation is rebooted.

  • The client records are manually refreshed using the ipconfig /registerDNS command.

  • A statically configured IP address is modified.

  • The IP address leased from a DHCP server changes or is renewed. An IP address can be manually renewed using the ipconfig /renew option.

Let's take a look at an example of what happens when a Windows XP DNS client performs a dynamic update. Assume that you change a bayside.net workstation's computer name from computer1 to computer2. Upon changing the computer name, you are required to restart before the changes take effect. When the workstation restarts, the following process occurs:

  1. The DHCP client service sends a query to an authoritative DNS server for the domain using the new DNS domain name of the workstation.

  2. The DNS server that is authoritative for the workstation's domain responds to the request with information about the primary DNS server for the domain.

  3. The client sends a dynamic update request to the primary DNS server.

  4. The update request is processed by the primary DNS server. The old host and pointer records are removed and replaced with the updated ones.

  5. The master name server randomly notifies any secondary servers that a change to the zone file has occurred.

  6. Secondary servers request the zone transfer update to the zone file according to the frequency configured on the zone's Start of Authority tab.

Dynamic updates are configured on a per-zone basis. To configure a zone for dynamic update, right-click the zone within the DNS management console and click Properties. In the Properties dialog box, ensure that the General tab is selected. To enable dynamic updates, select one of the following options:

  • None—Select this option to disable dynamic updates for the zone. Doing so means that the zone file must be manually updated.

  • Nonsecure and Secure—Select this option to allow nonsecure updates (anyone can perform the update) as well as secure updates (only certain users can perform the update).

  • Secure Only—Select this option to enable dynamic updates for those users and groups authorized to do so because they have accounts in Active Directory and have been granted permission to update their records. This option is available only for zones that store information within Active Directory. You can use the Security tab from the zone's Properties window to configure who can perform dynamic updates.

CAUTION

When configuring dynamic updates, remember that the zone must be standard primary (information is stored locally in files) or Active Directory integrated (information is stored on all DCs). Also, to use secure updates, the zone must be Active Directory integrated. This feature is not supported by standard primary zones.

Secure Updates

Windows Server 2003 supports secure dynamic updates for zones that store information within Active Directory. With secure updates, only those clients authorized within the domain are permitted to update resource records. This means that the DNS server accepts updates only from clients that have accounts within Active Directory. Any computers that do not have accounts are not permitted to register any records, thereby eliminating the chance that unknown computers will register with the DNS server. Secure updates for a zone can be configured by selecting the Secure Only option.

The benefit of selecting this option is obviously an increase in security. The resource records and zone files can be modified only by users who have been authorized to do so. This also provides administrators with a finer granularity of control because they can edit the access control list (ACL) for the zone and specify which users and groups can perform dynamic updates. You edit the ACL for a zone by right-clicking the zone, selecting Properties, and choosing the Security tab.

Zone Transfers

Secondary servers get their zone information from a master name server. The master name server is the source of the zone file; it can be a primary server or another secondary server. If the master name server is a secondary server, it must first get the updated zone file from the primary server. The process of replicating a zone file to a secondary server is referred to as a zone transfer. Zone transfers occur between a secondary server and a master name server in the following situations:

  • When the master name server notifies the secondary server that changes have been made to the zone file. When the secondary server receives notification, it requests a zone transfer. If multiple secondary servers exist, they are notified at random so that the master name server is not overburdened with zone transfer requests.

  • When the refresh interval expires and the secondary server contacts the primary name server to check for changes to the zone file.

  • When the DNS server service is started on a secondary server.

  • When a zone transfer is manually initiated through the DNS management console on a secondary server.

Windows Server 2003 DNS (as well as Windows 2000 DNS) supports two types of zone transfers. Pre–Windows 2000 implementations of DNS supported a full zone transfer (AXFR) only, in which the entire zone file is replicated to the secondary server. This type of zone transfer is supported by most implementations of DNS. If the secondary server's zone file is not current, which means that changes were made, the entire zone file is replicated. The second type of zone transfer is known as an incremental zone transfer (IXFR), in which only the changes made to a zone file are replicated to the secondary server, thereby reducing the amount of network traffic. Frequency of zone transfers is configured on the Start of Authority tab.

The following list summarizes the configurable options for zone transfers:

  • Serial Number—Lists the number used to determine whether the zone file has changed. Each time a change is made, this number is incremented by 1. You can force a zone transfer by manually increasing this number.

  • Primary Server—Lists the hostname of the primary DNS server for the zone.

  • Responsible Person—Lists the e-mail address of the person responsible for administering the zone.

  • Refresh Interval—Determines how often the secondary server polls the primary server for updates. Consider increasing this value for slow network connections.

  • Retry Interval—Specifies how often the secondary server attempts to contact the primary server if the server does not respond.

  • Expires After—Specifies when zone file information should expire if the secondary server fails to refresh the information. If a zone expires, zone data is considered to be potentially outdated and is discarded. Secondary master servers do not use zone data from an expired zone.

  • Minimum (Default) TTL—Specifies how long records from the zone should be cached on other servers.

  • TTL for this Record—Specifies how long DNS servers are allowed to store a record from the zone in their cache before it expires.

NOTE

When zone information is stored within Active Directory, zone updates are replicated differently than in a standard primary/secondary scenario. DNS notification is no longer needed, and configuring a notify list is unnecessary. Instead, the DNS servers that store information within Active Directory poll Active Directory at 15-minute intervals to check for updates.

Zone Delegation

Delegation is the process of designating a portion of the DNS namespace for another zone. It gives administrators a way of dividing a namespace among multiple zones. For example, an administrator might place the bayside.net domain in one zone and place the sales.bayside.net subdomain in another delegated zone. The bayside.net zone would contain all the records for the sales subdomain if it is not delegated. Through delegating, the bayside.net zone contains only information for bayside.net, as well as records to the authoritative name servers for the sales.bayside.net zone. The host entries for any machines in sales.bayside.net are contained only on the delegated server.

In any case, when deciding whether to delegate, keep the following points in mind:

  • Zone delegation allows you to delegate management of part of the DNS namespace to other departments or locations.

  • Zone delegation allows you to distribute a large DNS database across multiple servers for load balancing, faster name resolution, and increased performance.

  • Zone delegation allows you to extend the namespace for business expansion, that is, it is scalable with business needs.

NOTE

To facilitate the delegation of zones, you need the appropriate delegation records that point to authoritative name servers for the new zone(s).

You can use the following procedure to delegate a zone:

  1. From within the DNS management console, right-click the domain you want to delegate and select New Delegation. The New Delegation Wizard opens. Click Next.

  2. Type a name for the delegated domain in the Delegated Domain text box. Click Next.

  3. Specify the name servers that will host the delegated domain by clicking the Add button. The New Resource Record screen appears, allowing you to specify the name and IP address of the name servers. Click OK. Click Next.

  4. Click Finish.

Managing DNS Record Settings

After resource records have been created, they can be managed through the management console. Tasks associated with resource records include modifying the resource records, deleting existing records, and configuring security.

Modifying Resource Records

If you have manually created resource records within a zone, at some point you might need to modify them, such as change the IP address associated with a particular hostname. This won't be an issue if you are using dynamic updates because DNS clients (running the appropriate platform) can update this information on their own.

You can modify a resource record within the DNS management console by selecting the appropriate zone, right-clicking the resource record, and clicking Properties (see Figure 3.9). For example, you can change the hostname, domain name, and IP address of a Host (A) record.

Figure 3.9Figure 3.9 You can modify the properties of a resource record through the management console.

Deleting Resource Records

You can delete resource records within a zone file at any time. For example, if you manually create resource records for a server and remove it from the network, you will want to delete the records from the zone file. Deleting a record is a simple process. Simply right-click the record within the zone and click the Delete option. Click Yes to confirm your actions.

Modifying Security for Records

Each record has an associated ACL that can be edited. Doing so enables you to specify which users and groups are permitted to securely update the record and change their permissions. You can modify the security by opening the Properties window for a record and selecting the Security tab (see Figure 3.10).

Figure 3.10Figure 3.10 You modify security for a record on its Security tab.

Managing DNS Server Options

Most management tasks performed on a DNS server are done through the DNS management console. When you highlight your DNS server within the DNS management console and click the Action menu, you see a number of options that can be used to manage different aspects of DNS. Some of the options available are summarized as follows:

  • Set Aging/Scavenging for All Zones—Use this option to configure refresh intervals for resource records. This enables you to refresh resource records on a set schedule. Refreshing periodically keeps bad records, such as invalid URLs, out of the database.

  • Scavenge Stale Resource Records—Use this option to manually scavenge stale resource records. Stale resource records can accumulate within a zone over a period of time. For example, if a computer registers its own resource record and is shut down improperly, the record might not be removed from the zone file. Scavenging stale resource records can eliminate any problems, such as outdated information.

  • Update Server Data Files—Use this option to write all changes to the zone file stored within Active Directory to a zone file on the disk.

  • Clear Cache—Use this option to clear the contents of the name server's cache.

  • Launch NSLookup—Use this option to open the command prompt from which you can use the NSLookup command.

Pearson IT Certification Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from Pearson IT Certification and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about Pearson IT Certification products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites; develop new products and services; conduct educational research; and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by Adobe Press. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.pearsonitcertification.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020