Downloads
41404.zip

In past Inside Out columns, I've shown you how to use simple batch files to set up just-installed systems as domain controllers (DCs) and to create disaster-recovery tools. I've also shown you how to use Netsh to configure and fine-tune your IP stack—the first step toward making a Windows Server 2003 or Windows 2000 server ready to ascend to DC status. What an Active Directory (AD) setup needs next is a dynamic DNS (DDNS) infrastructure.

In my ongoing example, I'm creating a single-domain forest called bigfirm.biz that contains two DCs: UptownDC.bigfirm.biz at 192.168.0.2 and DowntownDC.bigfirm.biz at 10.0.0.2. The 192 and 10 subnets both use a 255.255.255.0 subnet mask, and I intend for each machine to be both a DC and a DNS server. Both systems boast freshly installed copies of Windows 2003 or Win2K Server, as well as Microsoft's DNS server software, which ships with both OSs. Each system's IP stack is already set up through the earlier columns' batch files, and each system's DNS suffix is set to bigfirm.biz. The goal of my latest batch file is to set up DNS on each system. UptownDC will be the primary DNS server for bigfirm.biz and for a 192.168.0.x reverse-lookup zone, and it will be the secondary DNS server for a 10.0.0.x reverse-lookup zone. DowntownDC will be a secondary DNS server for bigfirm.biz and for the 192.168.0.x reverse-lookup zone, and it will be the primary DNS server for the 10.0.0.x reverse-lookup zone.

My primary tool for command-line DNS configuration is Dnscmd, which is in the Windows 2003 Support Tools folder and the Microsoft Windows 2000 Resource Kit. I need to install this tool on both UptownDC and DowntownDC. Dnscmd is powerful but has a fairly convoluted syntax, so I hope you find the examples in these batch files useful.

First, to create the bigfirm.biz zone, use the command

dnscmd localhost /zoneadd
   bigfirm.biz /primary
   /file bigfirm.biz.dns

The localhost parameter tells Dnscmd the DNS server on which to perform the command. I'm running this batch file directly on UptownDC, so localhost suffices. However, the tool's remote capability means that I could simply install Dnscmd on a Windows XP box and run the batch file to set up UptownDC and DowntownDC—assuming I had connectivity to them and had established the proper credentials. The /zoneadd parameter creates a new zone on localhost; in this case, the name of the zone is bigfirm.biz. The /primary parameter makes the zone a primary zone. The purpose of the /file bigfirm.biz.dns parameter will be clear to anyone who has ever used the wizard to set up a DNS zone. Microsoft DNS needs a file in which to store the zone's information. Bigfirm.biz.dns will reside in \windows\system32\dns\bigfirm.biz (in Windows 2003) or \winnt\system32\dns\bigfirm.biz (in Win2K).

As an alternative to the /primary parameter, you can use the /secondary parameter to create a secondary DNS zone or the /DsPrimary parameter to create AD-integrated zones. If you're wondering why I'm not creating an AD-integrated zone, remember that I don't have AD running yet. I'll be able to shift from primary to AD-integrated later by using the command

dnscmd localhost /zoneresettype /DsPrimary

The Dnscmd /zoneadd command almost completes the zone's initial setup, but you have one more task ahead of you: enabling dynamic updates. To perform that task, you use the command

dnscmd localhost /config bigfirm.biz /AllowUpdate 1

Next, I want to tell the bigfirm.biz zone that it will have two DNS servers—Name Servers (NSs), in DNS parlance—called UptownDC and DowntownDC. Microsoft DNS automatically installs an NS record for the server you use as a zone's primary DNS server, so UptownDC is covered, but I need to add the NS record for DowntownDC. To do so, I'd typically insert an NS record into the zone, as follows:

@ ns downtowndc.bigfirm.biz

In this record, the at symbol (@) means that this record refers to the current zone, ns specifies that you're adding an NS to that zone, and downtowndc.bigfirm.biz is that NS's name. However, telling the bigfirm.biz zone that I've got an NS called downtowndc.bigfirm.biz doesn't complete the task. The DNS server hosting the zone also needs DowntownDC's IP address. So I'd also include a host record to tell the zone that downtowndc.bigfirm.biz has an IP address of 10.0.0.2:

downtowndc A 10.0.0.2

Alternatively, you can use the Dnscmd /recordadd command to tell the batch file to insert the NS and host records:

dnscmd localhost /recordadd bigfirm.biz
    @ NS downtowndc.bigfirm.biz
dnscmd localhost /recordadd bigfirm.biz
    downtowndc A 10.0.0.2

As before, the command starts by naming the host (in this example, localhost) on which to perform the operation. Then, the /recordadd option needs the name of the zone to which to add the record, followed by the particular record to add.

You might wonder why I'm worrying about NS records. If you've ever tinkered with a Microsoft-based DNS server, you probably know that naming a given zone's secondary DNS servers isn't really necessary. I commonly see Microsoft-based DNS zones with just one NS record for the primary server. Why worry about NS records for your batch file? First, in the interest of correctness, you really should name all the zone's servers. Second, naming every NS is a good idea so that you can secure your zone.

To name a zone's secondary DNS server in Win2K, start the Microsoft Management Console (MMC) DNS snap-in, open the Forward Lookups folder, then locate and right-click the zone. Choose Properties and select the Zone Transfers tab, on which you'll see the Allow zone transfers check box and several options. The default option is To any server, which essentially permits anyone on the planet to set up a DNS server and tell that server that it's a secondary DNS server for a given zone on your DNS server—and that unwelcome secondary DNS server could then ask your DNS server to transfer everything that it knows about your DNS zone. The other options include Only to servers listed on the Name Servers tab and Only to the following servers, which lets you supply a list of servers.

In Windows 2003, Microsoft changed the DNS server's defaults. If you create a zone with a Windows 2003–based DNS server, you'll see that—by default—the server will transfer a DNS zone's information only to a server that has an NS record. So, if you're using Windows 2003, you'll be glad you've been careful about naming secondary DNS servers. And if you're using Win2K, you might consider visiting the Zone Transfers tab to implement a bit more security on your existing zones.

Now that you've taken care of bigfirm.biz, you can set up the reverse-lookup zone for 192.168.0.x. As before, you need to use the Dnscmd /zoneadd command to create the zone, the Dnscmd /config command to make it dynamic, and the Dnscmd /recordadd command to add DowntownDC as a secondary DNS server for the zone:

dnscmd localhost /zoneadd 0.168.192 .in-addr.arpa /primary /file 192.dns dnscmd localhost /config 0.168.192 .in-addr.arpa /AllowUpdate 1 dnscmd localhost /recordadd 0.168.192 .in-addr.arpa @ NS downtowndc.bigfirm.biz.

The only item that requires explanation is the new zone's name—0.168.192.in-addr.arpa. Reverse-lookup zones resemble the network number of a subnet (e.g., 192.168.0), but they're reversed, with the in-addr.arpa suffix appended. When you reverse 192.168.0, you get 0.168.192; when you add in-addr.arpa, you have the zone's name.

Although I haven't yet created the reverse-lookup zone for the 10.0.0 subnet (because I haven't set up DowntownDC, its future primary DNS server), I want UptownDC to be a secondary DNS server for 10.0.0's reverse-lookup zone, so I might as well create the secondary zone for 10.0.0. To do so, I can use the Dnscmd /zoneadd command but with a somewhat different syntax. I still have to specify the zone, the zone's name, and the name of its zone file. But secondary zones need one more piece of information: Who's the master? In other words, which server should the secondary DNS server look to for updating its data about that zone? That command looks like

dnscmd localhost /zoneadd 0.0.10
    .in-addr.arpa /secondary 10.0.0.2

The zone name for the 10.0.0 network is the quads reversed with the in-addr.arpa suffix. The /secondary option replaces the /primary option that you've seen in previous Dnscmd /zoneadd commands, and notice that an IP address follows the /secondary option. It's the IP address of the server to which this secondary DNS server should look to find the latest information about the 0.0.10.in-addr.arpa zone.

Adding an Ipconfig /registerdns to the end of this type of batch file ensures that the DNS server registers the most up-to-date information on its zone. The result is the batch file that Listing 1 shows.

Let's finish by creating a similar batch file for DowntownDC—an easier task. You simply need to make DowntownDC a secondary server for bigfirm.biz and 0.168.192.in-addr.arpa, then create the 0.0.10.in-addr.arpa zone and make it dynamic. The result is the batch file that Listing 2 shows. The first three commands in Listing 2 create the secondary and primary zones. The fourth command sets the reverse-lookup zone for 10.0.0 to be dynamic. The fifth command adds UptownDC as a secondary DNS server for that zone. Finally, the batch file tells the DNS server to register itself.

Dnscmd has many options, but I've shown you most of what you'll need. With these examples, you should be able to begin your trek toward building your own disaster-recovery scripts.