You can watch the whole video below or download it and watch it at your convenience — I included iPod/iPhone files for you too.

 
Here’s what I cover in this video:

• The scenario — I’ll start off by introducing you to the scenario that we’ll be working with all throughout this training
• Quick edition check — we’ll go through the different flavors of Server 2008 and the requirements to make sure that your box is ready
• Installation & configuration — installation and initial configuration steps are explained and demonstrated on a virtual machine
• Adding Active Directory — next I’ll show you how to add the AD role by installing Active Directory Domain Services
• Promotion to Domain Controller — using dcpromo.exe we will create a new domain in a new forest and then install the DNS server

Free Instant Download

Download this lesson in high-quality WMV video format

Or, download in iPod/iPhone format to watch on the go

Related posts:

• Lesson 3: Active Directory Users and Groups in Windows Server 2008
• Lesson 8: Windows Server 2008 Terminal Services
• Lesson 6: Windows Server 2008 RODC – Read Only Domain Controllers

The main reason for this of course, is that Windows Web Server 2008 does not allow you to install the Microsoft DNS Role.

In this part of the series I will walk you through an initial configuration of the BIND DNS server. First let’s talk about a few different types of DNS server setups available.

Authoritative Name Servers

Every DNS zone, like www.trainsignaltraining.com, is served by at least one authoritative name server which contains all the DNS records for the zone.

To account for fault tolerance most zones have more than one server that keeps all these records in case of outages.

Because of this you will have two types of Authoritative Name Servers — one that keeps the master copy of the zone and that server is called the primary master, and the other called a slave or secondary server that loads their data from the master server by a means of zone replication.

Caching Name Servers

Also called a recursive name server, this is most commonly the local DNS server that your operating system talks to.

When you make a request on your local PC, more than likely it will go out to your ISP’s DNS Caching server which will make a request to the Authoritative Name Server. One of the features of most caching servers is that it will keep that request cached for a certain amount of time to speed lookups.

Creating an Authoritative Name Server with BIND

Once BIND DNS is installed you will see that it is a pretty bare install and needs to be setup via configuration files.

For some Wintel administrators this may be a little daunting in an age of GUI interfaces, but don’t worry it isn’t too painful, and gives you good practice for some *nix cross training.

In this demo I am going to create a Authoritative Name Server for the domain bindtest.com at the IP of 192.168.11.13, as a note this is only accessible at my internal network so don’t go searching around for it.

To refresh your memory we installed BIND DNS at C:\Windows\System32\dns

1. Start by opening a command prompt with administrative rights by clicking on the Start menu, right click Command Prompt then left click on Run as Administrator

2. Type in the following at the command prompt hitting Enter after each line:

cd c:\windows\system32\dns\bin (or where you installed BIND)
rndc-confgen –a
rndc-confgen > C:\windows\system32\dns\etc\rndc.conf

Close the command prompt

3. Open Explorer and go to C:\windows\system32\dns\etc and create the following directories:

run
zones
log

Create an empty file in the log directory called named.log

4. Download the following file: named.conf and place it in C:\windows\system32\dns\etc (or wherever you installed BIND).

If you did install BIND in a different directory, then in the named.conf go in and change the location in options for the directory to your install location.

5. You also need to modify the named.conf to change the zone to the domain you want to manage.

In our example I am using bindtest.com, but you need to change this to match your domain.

You should also change the file name to replace db.bindtest.com.txt to db.%yourdomain.com%.txt –replacing %yourdomain.com% with your domain name.

6. Open rndc.conf in notepad (in the etc folder) and copy everything below the line that says:

# Use with the following in named.conf

7. Open named.conf and paste the contents of the clipboard at the end of the file.

Remove all the # from each line and delete the first line copied in and the last line copied in so it looks like the picture below. Save and close named.conf

8. Download the following file: db.bindtest.com.txt and place it in C:\windows\system32\dns\etc\zones

9. Rename db.bindtest.com.txt to whatever you used in step 5, so that the file is named db.%yourdomain.com%.txt — replacing %yourdomain.com% with your domain name.

10. Open the db.bindtest.com.txt (or whatever you renamed it) and modify the following then save the file:

Change any reference to bindtest.com to your domain name

Change the serial line to reflect the current date in this format: YYYYMMDDRR
YYYY = YEAR
MM = MONTH
DD = DAY
RR = Revision number (01 if this is the first time)

Change the IPs to the IPs that your servers are using

Now you are configured to be an Authoritative Name Server for bindtest.com (or whatever your domain is named) with no recursive lookup.

Open Server Firewall

If you are using a firewall for your server either software or hardware, you will want to make sure that incoming requests on UDP port 53 are open. This will make sure that your server will accept incoming queries.

Start the BIND DNS Service

Ok, we are finally ready to actually start this service. Let’s go in and start this service.

1. Go to the Start button, then to the Administrative Tools, then left click on Services

2. Scroll down and find ISC Bind and right click on it, then click on Start to start the service.

That’s it! The BIND DNS service is now up and running and ready to accept queries. Let’s test out the service.

Testing BIND DNS

I am going to use a very cool tool that is loaded with BIND DNS that’s called DIG.

You will find it in the bin directory where you installed BIND. The tool will go out and query for a domain name and grab all the DNS records. Let’s take a look:

1. Open a command prompt and navigate to the bin directory

2. Type in the following to get a feel for what you get back and hit Enter:

Dig Yahoo.com any

3. Below you will see a piece of the output:

4. Now that you know what to look for, I am going to use my test domain bindtest.com with the dig tool by typing: Dig @192.168.11.13 bindtest.com any

Note: I use @192.168.11.13 because bindtest.com is not registered with ICANN so it tells dig to use the name server at that address.

5. You can see that the BIND Name Server is responding with the correct information:

We have now configured an Authoritative Name Server for the test server bindtest.com that responds correctly to DNS requests.

A quick note, when you make changes you will have to restart the ISC BIND Service or run the command c:\windows\system32\dns\bin\rndc reload from a command prompt or batch file.

Related posts:

• Install BIND DNS on Windows Web Server 2008 – Part 1
• Configure DHCP on Windows Server 2008
• Role Playing with Windows 2008 Server Core

Unfortunately this is not always the case as expanding will usually mean more work for you.

But in case the company you work for opens up another office in a different city, state, or country, in order to keep your network manageable it’s best to put the new office into its own child domain — a.k.a sub domain.

Why Add a Child Domain?

There are several good reasons for splitting the new office into its own child domain, here are 3 of them:

• Less Network Traffic between your main office and the new one – that means your company will spend less money on the direct connection between the two offices and you will never experience a network delay.
• You will be able to delegate control of the new network to another administrator who actually lives in the location of the new office. If your offices are close and you are about 20 minutes away to any one of them, then I guess that’s no big deal. But if your main office is located in New York and the new office is going to be in … oh, let’s say Paris, how the heck are you going to get there in case of an emergency? See my point?
• Having the child domain will allow you to keep track what is going on in a specific office.

These are only the main good reasons for creating a child domain. Once you start working in an environment with sub domains you will realize there are a lot more good reasons for splitting the two locations in your Active Directory.

Before you begin …

1. In order to create a child domain on your network, you will need another server, or rather a Domain Controller.

You can build that DC in your main office and then ship it out to the new office. This DC will also be a Global Catalog as well as DNS Server to assist all the clients in the new office with any DNS requests, etc.

2. You also need to prepare your current network for the new sub domain. So before you begin with the new DC configuration you need to do the following:

• Create a new site in your Active Directory that will represent the physical structure of your network. In my example our main office is in New York and the new one is in Chicago. Based on that info, you would create a new site for the Chicago office.
• In addition to the new site you will also need to create a new subnet for your new location. It will allow you to track all of your machines by location. This new subnet should be assigned to your new location.

Once you prepare your network as mentioned above, we are now ready to create a new Domain Controller.

Creating a New Domain Controller

Once you have prepared your network for you child domain and have created the site and sub domain, it’s time to install the new DC on our new site.

As you can see our main office is in New York and we have 3 DCs already configured in the New York Site (see the screenshot below).

Our new site called Chicago doesn’t have any DCs configured yet –- this is where we are going to configure our new DC.

1. After you have installed Windows Server 2008 on your new machine and completed all the Initial Configuration Tasks, open up Server Manager and click on the Roles section.

2. We will need to install the Active Directory Domain Services (ADDS) Role first. So go ahead and check the box next to it and click Next.

3. In this window you will see some additional information about ADDS. Once ready, click on Next.

4. As always you are being informed that once the installation is completed the server will restart and you will need to use the ADDS Installation Wizard to make the server a fully functional Domain Controller.

Go ahead and click on the Install button.

5. The installation will now run for a few minutes.

6. Now it’s time to click on the link and run dcpromo.exe.

7. Go ahead and click Next on the welcome screen.

8. And Next again (for more detailed information on this step you can check out this post on Installing Active Directory Domain Services on Server 2008).

9. Since this is going to be your child domain, make sure you select the Existing forest option and then select Create a new domain in an existing forest.

When ready, click on the Next button.

10. Type in your domain name with the correct internet suffix. In my example I’m are using our globomantics.com domain.

Since this domain already exists and you are logged in to this machine only as a local administrator you will also need to enter alternate credentials of a domain administrator in order to proceed.

So go ahead and click on the Set button.

11. Enter the domain administrator’s name and password, then hit OK.

12. When ready, click on Next.

13. In this step you will need to enter the Fully Qualified Domain Name (FQDN) of your child domain in two steps.

The first is the FQDN of your parent domain. In our example it is going to be globomantics.com.

Next you need to enter the single-label DNS name of your child domain — that means anything that is before the globomantics.com.

In my example I entered na for na.globomantics.com — as seen on the bottom.

That will be our FQDN for the new child domain. Once ready, click on the Next button.

14. Now it’s time to select a site for this DC.

Now you see why we needed to create the new site before we started this installation. Select the correct site and click Next.

15. As mentioned earlier we are going to make this DC be our DNS server as well as Global catalog for our new site.

Make sure both check-marks are checked and then click on the Next button.

16. I would recommend leaving the default locations for these databases unless you have a really good reason not to. Click Next.

17. In this windows you will need to setup the Directory Services Restore Mode Administrative Password for restore purposes.

Go ahead and type that in and then click on the Next button.

18. On this summary window double check your selections and when ready click Next.

19. You can check the box Reboot on completion and let the installation complete.

Congratulations! Your Child Domain has been created!

Related posts:

• Windows Server 2008: Install Active Directory Domain Services
• Server 2008 Active Directory User Groups — the Easy Way!
• Windows Server 2008 Active Directory — Creating Users is Easy!

The 2003 version of this edition was severely limited by licensing to what you could install and do on it, and was really only a solution for the most basic of web sites.

The 2008 version has had most of those limits removed and is now a much more viable alternative for hosts and companies looking for a economical Windows based web server running IIS7.

One of the most glaring oversights for this edition of Windows Web Server is the exclusion of the DNS role. I understand the argument from Microsoft that if you are running this edition of server more than likely your hosting company will have a DNS infrastructure in place and most users can and will use that.

I counter that with the fact that I like to control my own DNS name servers and records and do not like having to deal with a hosting company infrastructure that may or may not be streamlined for DNS requests.

I have read in various forums that the Server team is looking into this and it may change in the future, but for now we will have to find another solution for this problem.

This low cost (free) solution is going to be — installing BIND DNS on the server and configuring it to handle DNS queries.

Today I’ll focus on the installation part and in Part 2 I’ll show you how to configure BIND DNS on Windows Web Server 2008.

BIND DNS Server

BIND (Berkeley Internet Name Domain) is an open source implementation of Domain Name System (DNS) protocols distributed for free under the BSD License.

It is currently maintained on the Internet Systems Consortium and is used by the majority of the DNS servers on the Internet.

The current version we are going to be using in this article is BIND 9.5.0-P2-W2 (Windows-specific fixes). You can download the current version at:

http://www.isc.org/index.pl?/sw/bind/index.php

Creating a User Account for Bind

BIND requires a local user with only "Log on as a service" privilege. The installer will actually check for this, and if the user has more rights it will ask if you really want to use that ID.

The default user for the BIND installer is named, but you can do any other name you want.

1. Open the Computer Management console

2. Select Local Users and Groups and then right click on Users, select New User…

3. Fill in the new user information, I am going to use the following and then click Create before closing the New User window:

User name: named
Description: BIND DNS Account
Password: %password%
Confirm Password: %password%
Unselect: User must change password at next logon
Select: User cannot change password
Select: Password never expires

4. Now open the Local Security Policy MMC from the Administrative Tools Menu.

5. Expand Local Policies then select User Rights Assignment in the policy pane; scroll down and right click on Log on as a service, then left click Properties.

6. Click on Add User or Group…

7. Type in the user account you created, in our case the default named, then click Check Names to make sure you typed it correctly, then click Ok.

8. Click Ok to exit the properties box, and you should see the account listed now next to the Log on as a service policy.

That’s it for the user account for now. Later you will have to give the account you created read/write rights to the directory you install BIND into, but that will be covered in a bit.

Install BIND DNS on Windows Web Server 2008

This is where we will walk through the install and initial configuration of BIND DNS. Let’s get started!

1. Unzip the download and then click on BindInstall.exe to start the installation.

2. The installer will ask for the following information:

Target Directory: Your choice
Service Account Name: The account we created earlier
Service Account Password: Password used
Confirm Service Account Password: Password used

For options I am leaving the default , when you are done click Install

3. When you click on Install you might get a message saying the account has too many privileges, just click on No to continue. You can go in and strip out more of the accounts rights, but as a average user, the attack profile will be low.

4. After a few seconds you should see a message that states Bind installation completed successfully. Click Ok, and then click Exit on the installer.

5. We now want to go in and give the user account you have been using full read/write rights to the directory you installed BIND to.

You have now installed BIND on the server and set it up to run as a service. It is important to note that the installer does not copy over the help html files, so if you are going to need those you can move them to a convenient location yourself.

Summary

In this article we have installed BIND DNS on a Windows Web Server and set it up to run as a service under a local user.

Now since BIND DNS comes from the *NIX side of the house there is quite a bit more we have to do to configure this before it runs.

In the next article we will go through configuring BIND DNS with some demo configurations.

Related posts:

• Configure BIND DNS on Windows Web Server 2008 – Part 2
• Windows Server 2008 Active Directory — Creating Users is Easy!
• Windows Server 2008: Install Active Directory Domain Services

Active Directory provides the structure to centralize the network and store information about network resources across the entire domain. Active Directory uses Domain Controllers to keep this centralized storage available to network users.

In this scenario we are going to install Active Directory fresh with a brand new Domain Controller after a fresh install of Windows Server 2008.

Requirements for Active Directory Domain Services

Let’s go through some of the requirements for a fresh install of Active Directory Domain Services. Some of these will be required to be done before hand; others as noted can be done during the install:

• Install Windows Server 2008
• Configure TCP/IP and DNS networking configurations
• The disk drives that store SYSVOL must be on a local drive configured NTFS
• Active Directory requires DNS to be installed in the network. If it is not already installed you can specify DNS server to be installed during the Active Directory Domain Services installation.

Once you verify that these requirements have been met we can get started.

Install Active Directory Domain Services via Server Manager

For the first example let’s start by installing Active Directory through Server Manager. This is the most straight forward way, as a wizard will guide you through the steps necessary.

1. Start Server Manager.

2. Select Roles in the left pane, then click on Add Roles in the center console.

3. Depending on whether you checked off to skip the Before You Begin page while installing another service, you will now see warning pages telling you to make sure you have strong security, static IP, and latest patches before adding roles to your server.

If you get this page, then just click Next.

4. In the Select Server Roles window we are going to place a check next to Active Directory Domain Services and click Next.

5. The information page on Active Directory Domain Services will give the following warnings, which after reading, you should click Next:

• Install a minimum of two Domain Controllers to provide redundancy against server outage (which would prevent users from logging in with only one)
• AD DS requires DNS which if not installed you will be prompted for
• After installing AD DS you must run dcpromo.exe to upgrade to a fully functional domain controller
• Installing AD DS will also install DFS Namespaces, DFS Replication, and Filer Replication services which are required by Directory Service

6. The Confirm Installation Selections screen will show you some information messages and warn that the server may need to be restarted after installation.

Review the information and then click Next.

7. The Installation Results screen will hopefully show Installation Succeeded, and an additional warning about running dcpromo.exe (I think they really want us to run dcpromo).

After you review the, click Close.

8. After the Installation Wizard closes you will see that server manager is showing that Active Directory Domain Services is still not running. This is because we have not run dcpromo yet.

9. Click on the Start button, type dcpromo.exe in the search box and either hit Enter or click on the search result.

10. The Active Directory Domain Services Installation Wizard will now start.

There are links to more information if you want to learn a bit more you can follow them or you can go ahead and click Use advanced mode installation and then click Next.

11. The next screen warns about some operating system compatibility with some older clients.

For more information you can view the support documentation from Microsoft and after you have read through it go ahead and click Next.

12. Next is the Choose Deployment Configuration screen and you can choose to add a domain to an existing forest or create a forest from scratch.

Choose Create a new domain in a new forest and click Next.

13. The Name the Forest Root Domain wants you to name the root domain of the forest you are creating.

For the purposes of this test we will create ADExample.com. After typing that go ahead and click Next.

14. The wizard will test to see if that name has been used, after a few seconds you will then be asked for the NetBios name for the domain.

In this case I will leave the default in place of ADEXAMPLE, and then click Next.

15. The next screen is the Set Forest Functional Level that allows you to choose the function level of the forest.

Since this is a fresh install and a new forest with no additional prior version domains to worry about I am going to select Windows Server 2008. If you did have other domain controllers at earlier versions or had a need to have Windows 2000 or 2003 domain controllers (because of Exchange for example), then you should select the appropriate function level.

Select Windows Server 2008 and then click Next.

16. Now we come to the Additional Domain Controller Options where you can select to install a DNS server, which is recommended on the first domain controller.

If this was not the first domain controller you would have the options of installing Global Catalog and/or setting this as a Read-only Domain Controller. Since it is the first domain controller, Global Catalog is mandatory, and a RDOC controller is not an available option.

Let’s install the DNS Server by placing a check next to it and clicking Next.

17. You will get a warning window about delegation for this DNS server cannot be created, but since this is the first DNS server you can just click Yes and ignore this warning.

18. Next you can choose to place the files that are necessary for Active Directory, including the Database, Log Files, and SYSVOL.

It is recommended to place the log files and database on a separate volume for performance and recoverability. You can just leave the defaults though and click Next.

19. Now choose a password for Directory Services Restore Mode that is different than the domain password. Type your password and confirm it before hitting Next.

Note: You should use a STRONG password for this and will be warned if it doesn’t meet criteria.

20. Next you will see a summary of all the options you have went through in the wizard.

If you plan on creating more domain controllers with the same settings hit the Export settings … button to save off a txt copy of the settings to use in an answer file for a scripted install. After exporting and reviewing settings click on Next.

21. Now the installation will start including the DNS server option if selected. You will notice a box to Reboot on completion that you can check to reboot soon as everything is installed (A reboot is required you can do it manually or use this function to do it automatically).

NOTE: This can be from a few minutes to several hours depending on different factors.

Confirming Active Directory Domain Services Install

When you reboot you will be asked to login to the domain, and be able to open Active Directory Users and Computers from the Administrative menu.

When you do you will see the domain ADExample.com and be able to manage the domain.

You have now successfully installed Active Directory Domain Services and the first Domain Controller.

Related posts:

• Server 2008 Active Directory: Adding a Child Domain
• Server 2008: Install Active Directory Certificate Services
• Install Read-Only Domain Controller on Windows Server 2008

Left over from the days when Microsoft networks were mainly broadcast based, NetBIOS name resolution has long been a thorn in the side of the Windows administrator.

Though most networks eventually mature into a state where the WINS servers stand quietly and dish out simple name resolution, getting the proper configuration in place can be a nightmare. Even after the configuration is set, problems can creep up when users move locations or when DHCP or DNS servers are removed, relocated or added.

Often these network issues look like something else, so the admins end up spending way too much time troubleshooting the issue.

Still, there has really been nothing the administrator can do about it, thanks to legacy applications and user’s understandable inability to work with complicated Fully Qualified Domain Names (FQDN).

(I’ve literally seen something like: Sever5.Austin.RemoteOffice.District7.Operations.Users.TheBigCompany.com)

All of this changes in Windows Server 2008 …

Introducing: GlobalNames Zone

Windows Server 2008 comes with IPv6 installed and enabled (if you haven’t already, check out my article on Windows Server 2008 IPv6 – The Future of Internet Protocol).

IPv6 makes no provision for WINS and Microsoft has wisely chosen not to shoehorn something in specifically for Microsoft networks.

IPv6 works with DNS, and DNS only. So, Microsoft came up with a rather ingenious solution to the problem of simple-name resolution, a special forward lookup zone.

The GlobalNames Zone (GNZ) is a regular issue, standards compliant forward lookup zone.

That means no interoperability issues for administrators. (And there was much rejoicing.) It does require a special name – GlobalNames – but otherwise, it is indistinguishable from other forward lookup zones.

It does take a specific configuration though. Specifically, it must be set to replicate to all DNS servers in the forest. It should not be set for dynamic updates, and GlobalNames Zone support has to be enabled on the DNS server.

How GlobalNames Zone Works

So how does this new bad boy work?

Basically, if a DNS server receives a request that it can’t resolve in its normal way by using local zones, it will then try and resolve the name with the GlobalNames Zone.

So, when that request comes in for AustinServer, the DNS servers will check its normal local zones (filled with FQDN) and come up empty. Then, it will check the GlobalNames Zone — where it will find AustinServer, and match it to its FQDN.

No extra configuration needed on the client to point to a WINS server, and no extra configuration on server to add a WINS role. You’ll be using DNS anyway, so everything that has to be there is already installed.

How to Setup GlobalNames Zone

Setting up GNZ is pretty straightforward as well. Just logon to your Domain Controller and fire up Server Manager.

Next, expand the DNS section under Roles until you come to Forward Lookup Zones. Inside Forward Lookup Zones, create a new zone.

The new zone should be a Primary Zone and needs to be set to Store the Zone in Active Directory. (Don’t forget this checkbox!)

Click Next to move on to the next page. Here, name the zone “GlobalNames” (this name is required).

Also, do not enable Allow Dynamic Updates. That is it for configuration only.

The one semi-bumpy spot is enabling GNZ support on the server. This requires issuing a command via the command-line. The command is:

dmscmd /config /EngalbeGlobalNamessupport 1

Where you are most likely to mess this up is the two "s". It is Global Names Support not Global Name Support. Remember that and you’ll be fine.

This support has to be enabled on all the DNS servers in the forest. Don’t waste time typing it in all those times. Make a simple batch file and schedule it to replicate and run on all the servers.

In order to avoid any forgetfulness on new servers, make sure enabling GNZ support is included as standard operating procedure for all new DNS server installations.

All that is left is to build the forward lookup zone. Each entry will be a CNAME record with the corresponding Fully Qualified Domain Name.

Will You Ever Need WINS Again?

It is possible that some applications seem to require a WINS server. Unless the application interacts via specific WINS commands (not very common), it is usually possible to trick it by giving the program the address of a DNS server instead of a WINS server.

When your DNS server gets the name request, it will find the name and respond. Any application still being supported shouldn’t need this crutch for very long since most applications are being readied to work with IPv6 and there is no WINS in IPv6.

If you are tempted to configure both WINS and GNZ, don’t.

While it isn’t specifically forbidden, if you think your simple-name resolution is flakey now, wait until sometimes a WINS server responds and sometimes a GNZ server responds.

Not to mention you’ll have to add new entries to both places every time you add a resource to the network. The whole point of GNZ is to make things simpler not more complicated.

Say Goodbye to WINS and Say Hello to GNZ

Victory! WINS is no longer needed on your network. How do you celebrate?

Step One: Go into your DHCP configuration for the domain and find the setting: "WINS Is Not Required".

Invite the whole systems administrator team and have everyone gather around. This is a big moment for your network.

Select the no WINS setting and start the high-fives.

Step Two: Go to happy hour. Get the Jalapeno Poppers, you’ve earned them.

Related posts:

• Migrating to IPv6 with Windows Server 2008
• Windows DNS Server 2008: Setup External Internet DNS Server
• Windows Server 2008 IPv6 — The Future of Internet Protocol

For those of you that might need a refresher, the DNS service is the addressing book of the networking world, allowing the translation of human friendly names to IP addresses at its base level.

It also stores other types of records that helps in delivery of different types of information from one end of the Internet to the other.

Why Have An External DNS Server?

This is especially useful if you are running IIS and have a lot of sites and don’t want to use a 3rd party option for DNS. For example, at a client I worked with, they owned over 250 domain names and wanted to keep tight control over their DNS in case of server moves and other email considerations.

An external DNS server will also help limit the exposure of your network to security leaks in case the server is compromised. If you connect the Internet facing server to the rest of your DNS servers you will have your internal network AD information stored on there. Should this external facing server get hacked or compromised they would find quite a bit more information than just some publicly available resource records.

Once you have setup the external DNS servers you have your internal DNS servers with your private information forward requests to the external DNS server for clients needing name resolution to the outside world.

Installing Windows DNS Server 2008

The first thing we will have to do is setup the DNS Role on the server that we want to use. Let’s walk through that first:

NOTE: This walkthrough is for EXTERNAL DNS servers and will not include information on integrating with Active Directory or installing other components other than what is needed.

1. Open Server Manager and click on Roles in the left pane and then click on Add Roles in the center pane.

2. Depending on whether you checked off to skip the Before You Begin page while installing another service, you will now see warning pages telling you to make sure you have strong security, static IP, and latest patches before adding roles to your server.

If you get this page, then just click Next.

3. Next is the Select Server Roles window, and we are going to go ahead and check DNS Server in the list of possible roles.

Now if you don’t have a Static IP Address assigned to your server you will get the warning:

Either choose to ignore the warning and continue to install or go back and set a Static IP for the server. Either way you come back to the Select Server Roles screen, you can now choose to click Next.

4. Next is the DNS Server information screen giving some links to understanding the DNS integration with AD and other information.

Of course since we are configuring an External DNS server we will click Next to continue.

5. Confirm the Installation Selections by reviewing the list and then clicking Install.

6. After a little while you should now see the Installation Results page, and hopefully see a Installation Succeeded message across from DNS Server, and then click Close.

That’s it! You have now installed the DNS Role on a Windows Server 2008. Let’s go to some configuration tasks now.

Please note that when you install the DNS service the server will automatically open up port 53 TPC/UDP for DNS related traffic.

Configure Windows DNS Server 2008

Ok, before we start configuring your server there are a few basics we should cover.

Remember I said basics, because I am not going to go beyond what is needed for an External DNS server and confuse the issue, but there are other options beyond what I am going to review here.

• Forward Lookup Zone – A DNS Zone that does lookups for the domain name to IP address. This is the most common form of zone that people will use.
• Reverse Lookup Zone – This DNS Zone is the exact opposite of the Forward Lookup Zone and allows an IP to be assigned to a domain/hostname.
  
  Note: Most external Reverse Lookup Zones will not work unless you own your block of IPs. The ISP/WebHost service that you use will more than likely own the reverse IP records, and you will have to request them to make any changes you require.

If you have gone through my earlier IIS articles you know that I have used a test domain called logfiletest.com. Let’s go ahead and create a forward lookup zone for that domain.

1. Open DNS Manager

2. Since I am local to the server it will automatically have itself in the DNS Manager. Expand out the server then right click on Forward Lookup Zones, and then left click on New Zone.

3. Welcome to the New Zone Wizard, should be the next window you see. Go ahead and click Next.

4. Next we are going to pick a zone type. Since this is going to be the primary DNS server for logfiletest.com choose Primary Zone, and then click Next.

5. Now we are going to enter the Zone Name, in this case it is logfiletest.com. After entering the name of your zone go ahead and click Next.

6. The next window is about the zone file.

Non-Active Directory zones are kept in a flat text file in %SystemRoot%\system32\dns on the server. You have the option of creating a new one or using one that was copied over from a different server.

In our case we will use the default naming and create a new one, by clicking Next.

7. Dynamic Updates allow client computers to create and update their own resource records. For external servers this would be bad, so we will go with the Do not allow dynamic updates radio button and then click Next.

8. Completing the New Zone Wizard will be the next window and it has a review of the settings you specified during the wizard.

Go ahead and click on Finish to complete the setup of the Forward Lookup Zone for logfiletest.com.

9. At the completion you will now return back to the DNS Manager, and you can see logfiletest.com is now listed under the Forward Lookup Zone folder.

Congratulations on your setup! Though the domain is setup it currently has no resource records in it to resolve! Let’s fix that and give this server a purpose.

There are different types of resource records, in this case we are going to create a Host (A) record, which maps a name to an IP address.

Create a Host (A) Record on Server 2008 DNS

The most basic and simple host record is going to be for a website, so let’s go ahead and map the www of the domain name to the IP that the website uses.

For our example, the IP of logfiletest.com is 192.168.11.5.

1. Open DNS Manager

2. Choose the Forward Lookup Zone you want to work with, in this case it is logfiletest.com and right click on it. Select New Host (A or AAAA) and left click on it.

Note: Don’t be confused by the AAAA, as that is used for IPv6 records.

3. The new host window will now popup allowing you to enter the name (if blank it will use the parents domain name), which we will type in www, and fill in the IP address we want logfiletest.com to resolve to, which is 192.168.11.5.

If we choose to we can associate a PTR record with this, which would create the reverse lookup. Not necessary in this case since we don’t control the IPs.

Click Add Host when done.

4. You will get a message that confirms the creation of the Host Record, so click OK.

5. Now in the DNS Manager you will see your A resource record for www mapped to the correct IP.

6. Now let’s do a quick test with NSLookup and you will see that the name resolves correctly.

Summary for Creating External DNS Server

So we have walked through the following:

• Installing DNS Role on a Windows Server 2008
• Created a Forward Lookup Zone
• Created a Host (A) Resource Record

Again this is just the basics for getting you started in running your own External DNS Server.

In the future we will discuss the different types of resource records and how they are used, how to make use of features such as round robin DNS and setup redundancies to keep your sites resolving correctly.

Related posts:

• GlobalNames Zones and the Long Overdue Demise of WINS
• Configure BIND DNS on Windows Web Server 2008 – Part 2
• Server 2008: How to Setup a Remote Desktop on Windows Vista

Those lower-level administrators that run to Ted whenever things get tough have stood before the daunting black command-line box and trembled in fear at the blinking white cursor. You sneered as you waited to see if they would break down and cry at the prospect of being without their precious mouse.

But, you’re getting tired of just showing off your GUI-less install. It’s time to take this server out for a spin and see what it can do.

If you aren’t sure what role you want to assign yet, you can just play around with it, "role playing," if you will. Hah! Ok, it isn’t that funny, but a no-GUI sever isn’t that great until it can do something either.

It needs to have a role installed.

Installing a role in a Server 2008 full install is so easy a 1st Level Magic-User Dwarf could do it (more role playing, heh).

Just open up Server Manager and a few clicks later you’ve got a role installed or uninstalled.

Obviously, on a server without a GUI, Server Manager is out … or is it?

Available Roles

On a Windows Server 2008 Core install, just eight roles are available. All other roles take too many dependent processes or are too complicated themselves to reside on a core install. The available roles are:

• Active Directory
• Active Directory LDS
• DHCP Server
• DNS Server
• File Services
• Print Services
• Streaming Media Services
• Windows Server Virtualization

Server Manager Command-Line Style

The beta testing phase for Server 2008 was much longer than usual. As a result, the engineers at Microsoft got some extra time to code in features. One of those features was a command line interface for Server Manager.

That command is servermanagercmd.exe and it is great for scripting all sorts of commands and even for installing and removing roles.

Since you are a hard-core administrator, you already know all about servermanagercmd and you don’t need no stinkin’ GUI. So, you start typing …

"What the–?" Although servermanagercmd is a command-line utility, it is still part of the very extensive Server Manager program. Unfortunately, Server Manager has too many dependencies on APIs and processes that are not installed on Server Core, so servermanagercmd is out.

Instead, Microsoft has supplied another lower-level command that does not have the dependencies of Server Manger. The command, ocsetup.exe, and its partner in crime, oclist.exe provide the functionality to install server roles.

Neither of these commands exists on a full install of Windows Server 2008, so you’ll have to stick with servermanagercmd for command-line execution on a full install.

Oclist.exe and Ocsetup.exe

Grab your trusty TechNet CD and punch in your query. Installing a role on a Server Core install takes a command called ocsetup.exe. Check out the syntax:

c:\Windows\System32\>start /w ocsetup DNS-Server-Core-Role

The /w switch makes sure that control doesn’t come back to the command prompt until ocsetup has finished executing. This is a good thing because it can take a few minutes to complete installing the role and this way things won’t get messed up by moving on to the next step before the install is complete.

I know what you are thinking, "Yea, though I walk through the Valley of the Shadow of No-GUI, I shall fear no administration task, for I am the meanest administrator in the Valley." You figure you’ll memorize "DNS-Server-Core-Role" so that you never again need to go back into your TechNet to install a role. Ted would want it that way.

Think again, Super-Admin. For some inexplicable reason the ocsetup command is CaSe SensaTive! Not only that, but there is no logic to the naming of the roles. You’re thinking that if DNS Server is DNS-Server-Core-Role then DHCP Server must be DHCP-Server-Core-Role, right? Bzzzz! Wrongo! Hey, where did Ted get that buzzer from anyway?

Installing the DHCP Server role actually takes the parameter DHCPServerCore – no hyphens, no "Role." With eight different roles available on Server Core, you could memorize them all, but then again, there is Super-Admin and then there is Computer Nerd With No Life. You don’t want to go there.

Instead, we turn to the oclist.exe command. Oclist covers much of the role played by servermanagercmd -query over in the full installation world. Type oclist.exe and after a brief delay all the roles and features available are listed along with whether or not they are installed. The way they are displayed, is the way they have to be typed in. No need to memorize.

The Active Directory Role

With ocsetup and oclist you can install all of the roles available on Server Core except for the Active Directory role. The Active Directory role requires more than just copying new files and starting a service. The server must also be promoted.

So, the command necessary for installing the Active Directory role is dcpromo.exe. But, there is a catch (of course there is). Typing dcpromo launches the GUI for promoting and demoting servers. This is Server Core, so there is no GUI.

The trick is to run dcpromo in unattended mode. That way it doesn’t bother trying to launch the GUI. The unattended mode is triggered by the /unattend switch and takes an input parameter of a text file. That text file must contain the input normally provided by clicking around the GUI. So, assuming our input text file is named inputfile.txt then the syntax is:

dcpromo /unattend:inputfile.txt

The format of the text file is fairly simple. It starts with "[DCInstall]" and then each parameter with an equals sign, followed by the value you with to set. So, something like this:

[DCInstall]
UserName=Ted
Password=*
SiteName=TheSite
NewDomain=DomainName
NewDomainDNSName=ourcompany.com

… and so on. Depending on the structure of your enterprise, your inputfile.txt file can be very long (or very short).

Microsoft provides a full list of parameters, their function, and use with the "Appendix of Unattended Installation Parameters" under "Windows Server 2008 Technical Library > Active Directory Domain Services > Getting Started: AD DS > Step-by-Step Guide for Windows Server 2008 Active Directory Domain Services Installation and Removal" either online or on TechNet. (You may have to use the Table of Contents Panel to navigate there online.)

With a server role installed, your Windows Server Core install is ready for the big-time, just like your 11th Level Paladin. Now if we can just find out where Ted keeps that buzzer…

Related posts:

• Less is More — Windows 2008 Server Core
• 10 Steps to Installing the Web Server Role in Windows Server 2008
• Install DHCP Role on Windows Server 2008