3. Installing and Configuring DNS on the First Domain Controller

These instructions include installing Active Directory. However they are written so that you can still use them if you have already installed Active Directory; simply skip any steps that you have already completed.

Check TCP/IP configuration
  • On the first domain controller, open the TCP/IP properties of the network connection and make sure that the DNS servers listed are the usual Computing Services DNS servers.
Install Active Directory
  • Use dcpromo to install Active Directory onto the first server in a domain. With Server 2008 you can also use the Server manager to add the Active Directory Domain Services role; make sure you select [Use advanced mode installation] when the Active Directory Domain Services Installation Wizard (dcpromo) starts up.
  • When prompted about DNS (2000, 2003) or on the Additional Domain Controller Options page (2008), make sure that DNS will not be installed (on 2000 and 2003, choose to install and configure it yourself). 2008 Server will probably tell you that it can't install it anyway as it isn't authoritative for the domain. On 2008 Server Core, use InstallDNS=No in an answer file, or /InstallDNS:No as a command-line switch to dcpromo.
Install the DNS Service
  • Use [Add/Remove Programs] (Windows Components/Networking Services) or the Configure your Server wizard to install the DNS service. For 2008 Server Core use start /w ocsetup DNS-Server-Core-Role. Again, 2008 may protest about the domain authority; ignore it.
Create the DNS zones for Active Directory
  • Once Active Directory and the DNS service are both installed, open the DNS management program ([Administrative Tools]). If you allowed DNS to be installed automatically, you may already have two zones created called unit.ox.ac.uk and _msdcs.unit.ox.ac.uk. You should delete the first of these, keep the second and create the missing zones described below.
  • Now create the following forward lookup zones as Active Directory-integrated allowing secure dynamic updates (right-click on [Forward Lookup Zones] and choose [New Zone...].) This process is explained in more detail in the Appendix: How to Create and Configure a Zone. For 2008 Server Core, use another machine to administer DNS, or use DNSCMD, which is beyond the scope of these instructions (see Dnscmd Syntax.)
    • _tcp.unitDNSname.ox.ac.uk
    • _udp.unitDNSname.ox.ac.uk
    • _sites.unitDNSname.ox.ac.uk
    • _msdcs.unitDNSname.ox.ac.uk
    • DomainDnsZones.unitDNSname.ox.ac.uk
    • ForestDnsZones.unitDNSname.ox.ac.uk
  • For each zone, configure an appropriate contact address (Responsible person) under the [Start of Authority (SOA) tab], substituting a . for the @ and adding a . to the end of the address.
  • For domain controllers running 2003 and above, for the forest root domain only, edit the properties of the _msdcs.unitDNSname.ox.ac.uk domain and on the [General] tab ensure that it is configured to replicate to All DNS servers in the Active Directory forest. This is particularly important in multi-domain forests. The other domains should be configured to replicate to DNS servers or domain controllers within the domain, rather than the forest.
Configure Forwarders
  • Configure your DNS servers to send all requests for information that they do not hold themselves to the DNS Caching Resolvers. This is recommended for security reasons and also speeds up queries for information in the ox.ac.uk domain. Configure this via the Forwarders tab in the [Properties] of the server object in the DNS management tool. Make sure there is an entry for All other DNS domains and add the addresses for each of the DNS Caching Resolvers to the forwarders list for this entry.
Configure delegations from the central DNS servers
  • Use the [Change Active Directory server definitions] on the Interface for Host Updates page, linked from the OUCS DNS page to register this server. You need to include the unitname part (e.g. oucsserver1.oucs, bncw2k1.bnc). Always register the canonical or standard name of the server; don't register an alias (it doesn't work correctly).
Update TCP/IP configuration
  • Open TCP/IP properties of the network connection and remove the Oxford DNS server address(es) and replace with the address of your new DNS server (i.e. its own address). You can use the 127.0.0.1 address (although some of the diagnostics tools may report an error if you use this address but won't if you use the real address of the server).
Register and check records
  • Reboot the server, or restart the NetLogon service, or wait a few hours to trigger the registration of records in the DNS.
  • Take a look in the file C:\Windows\System32\Config\netlogon.dns and compare the entries with the entries in the DNS management tool. You may need to refresh or even restart the latter before you can see them.
Run tests to check for errors
  • Check the event logs for errors. Expect to see 5774 where it complains that it can't register all of the records. The problem is the host (A) record for the domain itself. You can suppress this by adding a multistring value (REG_MULTI_SZ) value called DnsAvoidRegisterRecords under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry key, and entering the data value LdapIpAddress. See Restrict the DNS resource records that are updated by Netlogon. This may not be supported on Windows 2000, only 2003 upwards.
  • Run netdiag /v /test:dns and dcdiag /v /test:dns using the Support tools included on the Windows server CD (the latter won't work on 2000), and included as part of 2008, to check that everything looks healthy.
Configure Firewalls and Clients
  • Refer to the other sections in this document for details on configuring perimeter firewalls and clients as well as subsequent domain controllers.

Up: Contents Previous: 2. Known Issues Next: 4. Configuring the Second and Subsequent Domain Controllers