411 a dnsRecord attribute, which is multivalued and contains all of the resource records associated with that node. Unfortunately, the contents of that attribute are stored in a binary format and are not directly readable. Table 13-1 and Table 13-2 contain some of the interesting attributes that are available on dnsZone and dnsNode objects, respectively. Table 13-1. Attributes of dnsZone objects Attribute Description dc Relative distinguished name of the zone. dnsProperty Binary formatted string that stores configuration information about the zone. msDS-Approx-Immed- Subordinates Approximate number of nodes contained within the zone. This is new to Windows Server 2003. Table 13-2. Attributes of dnsNode objects Attribute Description dc Relative distinguished name of the node. dnsRecord Binary formatted multivalued attribute that stores the resource records associated with the node. dnsTombstoned Boolean that indicates whether the node is marked for deletion. FALSE means it is not and TRUE means that it is. Recipe 13.1 Creating a Forward Lookup Zone 13.1.1 Problem You want to create a forward lookup zone. A forward lookup zone maps names to IP addresses or other names. 13.1.2 Solution 13.1.2.1 Using a graphical user interface 1. Open the DNS Management snap-in. 2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK. 3. Expand the server in the left pane and click on Forward Lookup Zones. 412 4. Right-click on Forward Lookup Zones and select New Zone. 5. Click Next. 6. Select the zone type and click Next. 7. If you selected to store the zone data in Active Directory, next you will be asked which servers you want to replicate the DNS data to. Click Next after you make your selection. (This only applies for Windows Server 2003). 8. Enter the zone name and click Next. 9. Fill out the information for the remaining screens. They will vary depending on if you are creating a primary, secondary, or stub zone. 13.1.2.2 Using a command-line interface The following command creates an AD-Integrated zone: > dnscmd <DNSServerName> /zoneadd <ZoneName> /DsPrimary 13.1.2.3 Using VBScript ' This code creates an AD-Integrated forward zone. ' SCRIPT CONFIGURATION strServer = "<DNSServerName>" ' e.g. dc1.rallencorp.com strNewZone = "<ZoneName>" ' e.g. othercorp.com ' END CONFIGURATION set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS") set objDNSZone = objDNS.Get("MicrosoftDNS_Zone") strNull = objDNSZone.CreateZone(strNewZone, 0 , True) WScript.Echo "Created zone " & strNewZone 13.1.3 Discussion 13.1.3.1 Using a command-line interface When you create an AD-integrated zone with the /DsPrimary switch, you can additionally include a /dp switch and specify an application partition to add the zone to. Here is an example: > dnscmd /zoneadd <ZoneName> /DsPrimary /dp domaindnszones.rallencorp.com 13.1.3.2 Using VBScript The DNS WMI Provider is Microsoft's first comprehensive DNS API. You can create and modify zones, query and manage resource records, and manipulate DNS server configuration. In the VBScript solution, the CreateZone method of the MicrosoftDNS_Zone class was used to create the forward zone. 413 13.1.4 See Also Recipe 13.2 for creating a reverse lookup zone, MS KB 323445 (HOW TO: Create a New Zone on a DNS Server in Windows Server 2003), MSDN: DNS WMI Provider, and MSDN: CreateZone Method of the MicrosoftDNS_Zone Class Recipe 13.2 Creating a Reverse Lookup Zone 13.2.1 Problem You want to create a reverse lookup zone. A reverse lookup zone maps IP addresses to names. 13.2.2 Solution 13.2.2.1 Using a graphical user interface 1. Open the DNS Management snap-in. 2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK. 3. Expand the server in the left pane and click on Reverse Lookup Zones. 4. Right-click on Reverse Lookup Zones and select New Zone. 5. Click Next. 6. Select the zone type and click Next. 7. If you selected to store the zone data in Active Directory, next you will be asked which servers you want to replicate the DNS data to. Click Next after you make your selection. (This only applies for Windows Server 2003). 8. Type the Network ID for the reverse zone or enter a reverse zone name to use. 9. Fill out the information for the remaining screens. They will vary depending on if you are creating a primary, secondary, or stub zone. 13.2.2.2 Using a command-line interface The following command creates an AD-integrated reverse zone: > dnscmd <DNSServerName> /zoneadd <ZoneName> /DsPrimary 13.2.2.3 Using VBScript ' This code creates an AD-integrated reverse zone. ' SCRIPT CONFIGURATION strServer = "<DNSServerName>" ' e.g. dc1.rallencorp.com strNewZone = "<ZoneName>" ' e.g. 8.10.192.in-addr.arpa. ' END CONFIGURATION set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS") set objDNSZone = objDNS.Get("MicrosoftDNS_Zone") strNull = objDNSZone.CreateZone(strNewZone, 0 , True) WScript.Echo "Created zone " & strNewZone 414 13.2.3 Discussion Creating a reverse zone is very similar to creating a forward zone. See Recipe 13.1 for more information. 13.2.4 See Also MS KB 323445 (HOW TO: Create a New Zone on a DNS Server in Windows Server 2003) and MSDN: CreateZone Method of the MicrosoftDNS_Zone Class Recipe 13.3 Viewing a Server's Zones 13.3.1 Problem You want to view the zones on a server. 13.3.2 Solution 13.3.2.1 Using a graphical user interface 1. Open the DNS Management snap-in. 2. Right-click on DNS in the left pane and select Connect to DNS Server. 3. Enter the server you want to connect to and click Enter. 4. In the left pane, expand the server and click Forward Lookup Zones and Reverse Lookup Zones to view the supported zones. 13.3.2.2 Using a command-line interface > dnscmd <DNSServerName> /enumzones 13.3.2.3 Using VBScript ' This code lists the zones that are supported by the specified server. ' SCRIPT CONFIGURATION strServer = "<DNSServerName>" ' e.g. dc1.rallencorp.com ' END CONFIGURATION set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS") set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""") set objZones = objDNS.ExecQuery("Select * from MicrosoftDNS_Zone " & _ "Where DnsServerName = '" & _ objDNSServer.Name & "'") WScript.Echo "Zones on " & objDNSServer.Name for each objZone in objZones WScript.Echo " " & objZOne.Name next 13.3.3 Discussion 13.3.3.1 Using a graphical user interface 415 When you click on either the Forward Lookup Zones or Reverse Lookup Zones in the left pane, the right pane contains a Type column that displays the zone type for each zone. 13.3.3.2 Using a command-line interface When using the /enumzones switch without any more parameters, it displays all zones on the server. You can specify additional filters that limit the types of zones returned. With the Windows 2000 version of dnscmd, you can specify up to two filters: Filter1: /Primary /Secondary /Cache /Auto-Created Filter2: /Forward /Reverse With the Windows Server 2003 version of dnscmd, the filter behavior has changed. Instead of having two levels of criteria you can specify one or more of the following: /Primary /Secondary /Forwarder /Stub /Cache /Auto-Created /Forward /Reverse /Ds /File /DomainDirectoryPartition /ForestDirectoryPartition /CustomDirectoryPartition /LegacyDirectoryPartition /DirectoryPartition <PartitionName> 13.3.3.3 Using VBScript A WQL query was used to find all MicrosoftDNS_Zone objects. You can add additional criteria to the WQL Select statement to return a subset of zones supported on the server. 13.3.4 See Also MSDN: MicrosoftDNS_Zone 416 Recipe 13.4 Converting a Zone to an AD-Integrated Zone 13.4.1 Problem You want to convert a primary zone to an AD-integrated zone. This causes the contents of the zone to be stored and replicated in Active Directory instead of in a text file. 13.4.2 Solution 13.4.2.1 Using a graphical user interface 1. Open the DNS Management snap-in. 2. Right-click on DNS in the left pane and select Connect to DNS Server. 3. Enter the server you want to connect to and click Enter. 4. If you want to convert a forward zone, expand the Forward Lookup Zone folder. If you want to convert a reverse zone, expand the Reverse Lookup Zone folder. 5. Click on the zone you want to convert, then right-click it and select Properties. 6. Beside Type, click the Change button. 7. Check the box beside Store the zone in Active Directory. 8. Click OK twice. 13.4.2.2 Using a command-line interface > dnscmd <ServerName> /zoneresettype <ZoneName> /DsPrimary 13.4.2.3 Using VBScript ' This code converts a zone to AD-integrated. ' SCRIPT CONFIGURATION strZone = "<ZoneName>" ' e.g. rallencorp.com strServer = "<ServerName>" ' e.g. dc1.rallencorp.com ' END CONFIGURATION set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS") set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""") set objDNSZone = objDNS.Get("MicrosoftDNS_Zone.ContainerName=""" & _ strZone & """,DnsServerName=""" & _ objDNSServer.Name & """,Name=""" & strZone & """") strNull = objDNSZone.ChangeZoneType(0, True) objDNSZone.Put_ WScript.Echo "Converted " & strZone & " to AD-Integrated" 13.4.3 Discussion See Introduction in Chapter 13 and Recipe 13.5 for more on AD-integrated zones. 417 13.4.4 See Also MS KB 198437 (How to Convert DNS Primary Server to Active Directory Integrated), MS KB 227844 (Primary and Active Directory Integrated Zones Differences), and MSDN: ChangeZoneType Method of the MicrosoftDNS_Zone Class Recipe 13.5 Moving AD-Integrated Zones into an Application Partition This recipe requires the Windows Server 2003 domain functional level. 13.5.1 Problem You want to move AD-integrated zones into an application partition. 13.5.2 Solution 13.5.2.1 Using a graphical user interface 1. Open the DNS Management snap-in. 2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK. 3. Expand the server in the left pane and expand either Forward Lookup Zones or Reverse Lookup Zones depending on the type of zone. 4. Click on the name of the zone. 5. Right-click on the zone and select Properties. 6. Click on the Change button beside Replication. 7. Select the application partition you want to move the zone into. 8. Click OK twice. 13.5.2.2 Using a command-line interface The following command will move a zone to the default application partition that replicates across all domain controllers that are DNS servers in the domain: > dnscmd <DNSServerName> /zonechangedirectorypartition <ZoneName> /domain 13.5.2.3 Using VBScript At the time of publication of this book, the DNS WMI Provider did not support programmatically moving a zone into an application partition. 418 13.5.3 Discussion With Windows 2000 Active Directory, if you had AD-integrated zones, those zones were replicated to every domain controller in the domain where they were stored. In many cases, not every domain controller also serves as a DNS server, which results in increased and unnecessary traffic to replicate changes with the zone(s). Windows Server 2003 provides an elegant solution to this issue by using application partitions. Application partitions are user-defined partitions that can be configured to replicate with any domain controller in a forest. This provides a lot more flexibility for how you store and replicate your AD-integrated zones. You could, in fact, have a couple domain controllers from each domain act as DNS servers for all of your AD domains. 13.5.4 See Also Chapter 17 for more information on application partitions Recipe 13.6 Delegating Control of a Zone 13.6.1 Problem You want to delegate control of managing the resource records in a zone. 13.6.2 Solution 13.6.2.1 Using a graphical user interface 1. Open the DNS Management snap-in. 2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK. 3. Expand the server in the left pane and expand either Forward Lookup Zones or Reverse Lookup Zones depending on the type of zone. 4. Click on the name of the zone. 5. Right-click on the zone and select Properties. 6. Click on the Security tab. 7. Click the Add button. 8. Use the Object Picker to locate the user or group to which you want to delegate control. 9. Under Permissions, check the Full Control box. 10. Click OK. 13.6.2.2 Using a command-line interface The following command grants full control over managing the resource records in an AD- Integrated zone: 419 > dsacls dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN> /G[RETURN] <UserOrGroup>:GA;; 13.6.2.3 Using VBScript ' This code grants full control for the specified user or group over ' an AD-Integrated zone. ' SCRIPT CONFIGURATION strZoneDN = "dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN>" strUserOrGroup = "<UserOrGroup>" ' e.g. joe@rallencorp.com or RALLENCORP\joe ' END CONFIGURATION set objZone = GetObject("LDAP://" & strZoneDN) '############################ ' Constants '############################ ' ADS_ACETYPE_ENUM Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5 ' ADS_FLAGTYPE_ENUM Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1 ' ADS_RIGHTS_ENUM Const ADS_RIGHT_GENERIC_ALL = &h10000000 '############################ ' Create ACL '############################ set objSD = objZone.Get("ntSecurityDescriptor") set objDACL = objSD.DiscretionaryAcl ' Full Control set objACE1 = CreateObject("AccessControlEntry") objACE1.Trustee = strUserOrGroup objACE1.AccessMask = ADS_RIGHT_GENERIC_ALL objACE1.AceFlags = 0 objACE1.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE1.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objDACL.AddAce objACE1 '############################ ' Set ACL '############################ objSD.DiscretionaryAcl = objDACL objZone.Put "ntSecurityDescriptor", objSD objZone.SetInfo WScript.Echo "Delegated control of " & strZoneDN & " to " & strUserOrGroup 13.6.3 Discussion By default, members of the DNSAdmins group have control over DNS server and zone configuration. You can delegate control of individual AD-integrated zones by modifying 420 permissions on the zone object in AD. The solutions show examples for how to grant Full Control to a user or group over a particular zone. 13.6.4 See Also MS KB 256643 (Unable to Prevent DNS Zone Administrator from Creating New Zones) Recipe 13.7 Creating and Deleting Resource Records 13.7.1 Problem You want to create and delete resource records. 13.7.2 Solution 13.7.2.1 Using a graphical user interface 1. Open the DNS Management snap-in. 2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select Connect to DNS Server. Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK. 3. If you want to add or delete a record in a forward zone, expand the Forward Lookup Zone folder. If you want to add or delete a record for a reverse zone, expand the Reverse Lookup Zone folder. To create a resource record, do the following: 4. In the left pane, right-click the zone and select the option that corresponds to the record type you want to create—e.g., New Host (A). 5. Fill in all required fields. 6. Click OK. To delete a resource record, do the following: 7. In the left pane, click on the zone the record is in. 8. In the right pane, right-click on the record you want to delete and select Delete. 9. Click Yes to confirm. 13.7.2.2 Using a command-line interface To add a resource record, use the following command: > dnscmd <DNSServerName> /recordadd <ZoneName> <NodeName> <RecordType> <RRData> The following command adds an A record in the rallencorp.com zone: . /Secondary /Forwarder /Stub /Cache /Auto-Created /Forward /Reverse /Ds /File /DomainDirectoryPartition /ForestDirectoryPartition /CustomDirectoryPartition /LegacyDirectoryPartition /DirectoryPartition. zone data in Active Directory, next you will be asked which servers you want to replicate the DNS data to. Click Next after you make your selection. (This only applies for Windows Server 2003) very similar to creating a forward zone. See Recipe 13.1 for more information. 13.2.4 See Also MS KB 323445 (HOW TO: Create a New Zone on a DNS Server in Windows Server 2003) and MSDN: CreateZone