3. Installing and Configuring DNS on the First Domain Controller
These instructions include installing Active Directory. However they are written so that you can still use them if you have already installed Active Directory; simply skip any steps that you have already completed.
- Check TCP/IP configuration
- Install Active Directory
dcpromoto install Active Directory onto the first server in a domain. With Server 2008 you can also use the Server manager to add the Active Directory Domain Services role; make sure you select
[Use advanced mode installation]when the
Active Directory Domain Services Installation Wizard (dcpromo)starts up.
- When prompted about DNS (2000, 2003) or on the
Additional Domain Controller Optionspage (2008), make sure that DNS will not be installed (on 2000 and 2003, choose to install and configure it yourself). 2008 Server will probably tell you that it can't install it anyway as it isn't authoritative for the domain. On 2008 Server Core, use
InstallDNS=Noin an answer file, or
/InstallDNS:Noas a command-line switch to
- Install the DNS Service
- Create the DNS zones for Active Directory
- Once Active Directory and the DNS service are both installed, open
the DNS management program (
[Administrative Tools]). If you allowed DNS to be installed automatically, you may already have two zones created called unit.ox.ac.uk and _msdcs.unit.ox.ac.uk. You should delete the first of these, keep the second and create the missing zones described below.
- Now create the following forward lookup zones as Active
Directory-integrated allowing secure dynamic updates (right-click on
[Forward Lookup Zones]and choose
[New Zone...].) This process is explained in more detail in the Appendix: How to Create and Configure a Zone. For 2008 Server Core, use another machine to administer DNS, or use DNSCMD, which is beyond the scope of these instructions (see Dnscmd Syntax.)
- For each zone, configure an appropriate contact address
Responsible person) under the
[Start of Authority (SOA) tab], substituting a . for the @ and adding a . to the end of the address.
- For domain controllers running 2003 and above, for the forest root
domain only, edit the properties of the
_msdcs.unitDNSname.ox.ac.uk domain and on
[General]tab ensure that it is configured to replicate to All DNS servers in the Active Directory forest. This is particularly important in multi-domain forests. The other domains should be configured to replicate to DNS servers or domain controllers within the domain, rather than the forest.
- Once Active Directory and the DNS service are both installed, open the DNS management program (
- Configure Forwarders
- Configure your DNS servers to send all requests for information
that they do not hold themselves to the
DNS Caching Resolvers. This is recommended for security
reasons and also speeds up queries for information in the ox.ac.uk
domain. Configure this via the
Forwarderstab in the
[Properties]of the server object in the DNS management tool. Make sure there is an entry for
All other DNS domainsand add the addresses for each of the DNS Caching Resolvers to the forwarders list for this entry.
- Configure your DNS servers to send all requests for information that they do not hold themselves to the DNS Caching Resolvers. This is recommended for security reasons and also speeds up queries for information in the ox.ac.uk domain. Configure this via the
- Configure delegations from the central DNS servers
- Use the
[Change Active Directory server definitions]on the Interface for Host Updates page, linked from the OUCS DNS page to register this server. You need to include the unitname part (e.g. oucsserver1.oucs, bncw2k1.bnc). Always register the canonical or standard name of the server; don't register an alias (it doesn't work correctly).
- Use the
- Update TCP/IP configuration
- Open TCP/IP properties of the network connection and remove the Oxford DNS server address(es) and replace with the address of your new DNS server (i.e. its own address). You can use the 127.0.0.1 address (although some of the diagnostics tools may report an error if you use this address but won't if you use the real address of the server).
- Register and check records
- Reboot the server, or restart the NetLogon service, or wait a few hours to trigger the registration of records in the DNS.
- Take a look in the file
C:\Windows\System32\Config\netlogon.dnsand compare the entries with the entries in the DNS management tool. You may need to refresh or even restart the latter before you can see them.
- Run tests to check for errors
- Check the event logs for errors. Expect to see 5774 where it
complains that it can't register all of the records. The problem is
the host (A) record for the domain itself. You can suppress this by
adding a multistring value (REG_MULTI_SZ) value called
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parametersregistry key, and entering the data value
LdapIpAddress. See Restrict the DNS resource records that are updated by Netlogon. This may not be supported on Windows 2000, only 2003 upwards.
netdiag /v /test:dnsand
dcdiag /v /test:dnsusing the Support tools included on the Windows server CD (the latter won't work on 2000), and included as part of 2008, to check that everything looks healthy.
- Check the event logs for errors. Expect to see 5774 where it complains that it can't register all of the records. The problem is the host (A) record for the domain itself. You can suppress this by adding a multistring value (REG_MULTI_SZ) value called
- Configure Firewalls and Clients
Up: Contents Previous: 2. Known Issues Next: 4. Configuring the Second and Subsequent Domain Controllers