Deploying Domain Name System

(DNS)
Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

Microsoft® Windows® Server 2003 Domain Name System (DNS) provides efficient
name resolution and interoperability with standards-based technologies. Deploying DNS
in your client/server infrastructure enables resources on a TCP/IP network to locate other
resources on the network by using host name-to-IP address resolution and IP address-to-
host name resolution. The Active Directory® directory service requires DNS for locating
network resources.

In This Chapter
Overview of DNS Deployment

Examining Your Current Environment

Designing a DNS Namespace

Designing a DNS Server Infrastructure

Designing DNS Zones

Configuring and Managing DNS Clients

Securing Your DNS Infrastructure

Integrating DNS with Other Windows Server 2003 Services

Implementing Windows Server 2003 DNS

Additional Resources for Deploying DNS

Related Information
• For more information about DNS, the Windows Server 2003 DNS Server service,
and Windows Server 2003 DNS Client service, see the Networking Collection of
the Windows Server 2003 Technical Reference (or see the Networking Collection
on the Web at http://www.microsoft.com/reskit).
Overview of DNS Deployment

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

DNS is the primary method for name resolution in the Microsoft® Windows®
Server 2003, Standard Edition; Windows® Server 2003, Enterprise Edition; and
Windows® Server 2003, Datacenter Edition operating systems (collectively referred to as
"Windows Server 2003" in this chapter). DNS is also a requirement for deploying Active
Directory, but Active Directory is not a requirement for deploying DNS. However,
integrating DNS with Active Directory enables DNS servers to take advantage of the
security, performance, and fault tolerance capabilities of Active Directory.

If you are planning to deploy DNS to support Active Directory, plan your DNS
namespace in conjunction with planning your Active Directory logical structure. For
more information about designing the Active Directory logical structure, see "Designing
the Active Directory Logical Structure" in Designing and Deploying Directory and
Security Services of this kit.

Examining Your Current Environment

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

Before you deploy Windows Server 2003 DNS, you must assess your current
environment to determine the DNS needs and constraints of your organization. After that,
create a Windows Server 2003 DNS deployment plan to match those needs and
constraints. Figure 3.2 shows the process for examining your current environment.

Figure 3.2 Examining Your Current Environment

Designing a DNS Namespace

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

Before you deploy a DNS infrastructure, the DNS designer in your organization must
design a DNS namespace. You can design an external namespace that is visible to
Internet users and computers, or you can design an internal namespace that is accessible
only to users and computers that are within the internal network. After your DNS
namespace has been deployed, DNS administrators are responsible for managing and
maintaining the DNS namespace. Figure 3.3 shows the process for designing a DNS
namespace.

Figure 3.3 Designing a DNS Namespace

Designing a DNS Server Infrastructure

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

DNS servers store information about the DNS namespace and use the information to
answer queries from DNS clients. The size of the DNS zone data, how many DNS clients
you have, and where these clients are physically located all impact your DNS server
topology.

The DNS designer in your organization designs DNS servers that enable you to create an
effective DNS data distribution and update topology while minimizing query and zone
transfer network traffic. The DNS administrators in your organization manage and
maintain your DNS servers. Figure 3.6 shows the process for designing DNS servers.
Figure 3.6 Designing a DNS Server Infrastructure

Designing DNS Zones

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

Each zone type that is available in Windows Server 2003 DNS has a specific purpose.
The DNS designer in your organization selects the type of zones to deploy based on the
practical purpose of each zone. The DNS administrators in your organization manage and
maintain your DNS zones. Figure 3.8 shows the process for designing DNS zones.

Figure 3.8 Designing DNS Zones

Configuring and Managing DNS Clients

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

When you configure DNS clients, you must specify a list of DNS servers for clients to
use when resolving DNS names. You can also specify a DNS suffix search list to be used
by the clients when performing DNS query searches for short, unqualified domain names.

Figure 3.9 shows the process for configuring and managing DNS clients.

Figure 3.9 Configuring and Managing DNS Clients

Securing Your DNS Infrastructure

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

Because DNS was designed to be an open protocol, DNS data can be vulnerable to
security attacks. Windows Server 2003 DNS provides improved security features to
decrease this security issue. The DNS designer in your organization is responsible for
creating a secure DNS infrastructure. The DNS administrators in your organization are
responsible for maintaining network security by anticipating and mitigating new security
threats.

Figure 3.10 shows the process for securing your DNS infrastructure.

Figure 3.10 Securing Your DNS Infrastructure

Integrating DNS with Other Windows Server 2003 Services

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

When you deploy Windows Server 2003 DNS, it is important to integrate the DNS
service with other Windows Server 2003 services, such as DHCP and WINS. DNS
administrators are responsible for integrating DNS with WINS and DHCP. Figure 3.11
shows the process for integrating Windows Server 2003 DNS with other Windows
Server 2003 services.

Figure 3.11 Integrating DNS with Other Windows Server 2003 Services
mplementing Windows Server 2003 DNS

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

After you have tested your configuration in a pilot lab, you can implement your changes
in your production environment. Figure 3.12 shows the process for implementing
Windows Server 2003 DNS.

Figure 3.12 Implementing Windows Server 2003 DNS

Additional Resources for Deploying DNS

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

These resources contain additional information and tools related to this chapter.

Related Information
• "Designing a Resource Authorization Strategy" in Designing and Deploying
Directory and Security Services of this kit for information about establishing
security policies.

• "Designing the Active Directory Logical Structure" in Designing and Deploying

Directory and Security Services of this kit for information about how to deploy
DNS specifically for Active Directory.

• "Designing Security Policy" in Designing a Managed Environment of this kit for

more information about security policies.
 • "Designing an Authentication Strategy" in Designing and Deploying Directory
and Security Services of this kit.

• "Deploying ISA Server" in this book for more information about perimeter
networks.

• "Deploying DHCP" in this book.

• "Designing a Group Policy Infrastructure" in Designing a Managed Environment

of this kit.

• The Networking Collection of the Windows Server 2003 Technical Reference (or
see the Networking Collection on the Web at http://www.microsoft.com/reskit)
for more information about the DNS Server service and DNS troubleshooting.

• The Windows Security Collection of the Windows Server 2003 Technical

Reference (or see the Windows Security Collection on the Web at
http://www.microsoft.com/reskit) for more information, about Active Directory
installation and removal.

• RFC 1035: Domain Names — Implementation and Specification.

• DNS and BIND, 4th ed., by Paul Albitz and Cricket Liu, 2001, Sebastopol, CA:
O’Reilly & Associates for more information about DNS.

• Windows 2000 TCP/IP Protocols and Services, by Thomas Lee and Joseph
Davies, 2000, Redmond, Washington: Microsoft Press for more information about
the DNS wire protocol.

• The Internet Engineering Task Force (IETF) link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information
about Request for Comments (RFC) documents and IETF Internet-Drafts.

Related Tools
For information about installing and using the Windows Server 2003 Support Tools and
Support Tools Help, see the file Sreadme.doc in the \Support\Tools folder of the
Windows Server 2003 operating system CD.

• Dnscmd.exe

You can use the Dnscmd.exe command-line tool to perform most of the tasks that
you can perform from the DNS MMC snap-in.

• DNSLint

DNSLint is a command-line tool that you can use to address some common DNS
 name resolution issues, such as lame delegation, DNS record verification, and
verifying DNS records that are used for Active Directory replication.

• Netdiag.exe

Netdiag.exe helps you to isolate networking and connectivity problems by

performing a series of tests to determine the state of your network client and
whether it is functional.

• Nslookup.exe

You can use the Nslookup.exe command-line tool to submit DNS queries and
display the results of the queries.

Related Help Topics

For best results in identifying Help topics by title, in Help and Support Center, under the
Search box, click Set search options. Under Help Topics, select the Search in title
only checkbox.

• "Migrating servers" in Help and Support Center for Windows Server 2003 for
information about upgrading your existing DNS servers or migrating third-party
DNS servers.

• "Monitor Servers" in Help and Support Center for Windows Server 2003 for more
information about testing DNS server performance.

• "Initiate a zone transfer at a secondary server" in Help and Support Center for
Windows Server 2003 for more information about using zone transfer.

• "Dynamic update" in Help and Support Center for Windows Server 2003 for
information about how to configure dynamic updates.

• "Allow only secure dynamic updates" in Help and Support Center for Windows
Server 2003 for information about how to allow only secure dynamic updates.

• "Configuring DNS client settings" in Help and Support Center for Windows
Server 2003 for more information about how to install and configure DNS clients.