IgNiTeD SoUL

Problem

You want to query resource records.

Solution

Using a graphical user interface

The DNS Management snap-in does not provide an interface for searching resource records.

Using a command-line interface

In the following command, replace <RecordType> with the type of resource record you want to find (e.g., A, CNAME, SRV) and <RecordName> with the name or IP address of the record to match:

	> nslookup -type=<RecordType> <RecordName>

Using VBScript

	' This code prints the  
resource records that match
	' the specified name.
	' ------ SCRIPT CONFIGURATION ------
	strQuery = "<RecordName>"
	' ------ END CONFIGURATION --------

	 
set objDNS = GetObject("winMgmts:root\MicrosoftDNS")
	set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")
	set objRRs = objDNS.ExecQuery(" select * " & _
	                              " from MicrosoftDNS_ResourceRecord" & _
	                              " where OwnerName = """ & strQuery & """" & _
	                              " Or DomainName = """ & strQuery & """" & _
	                              " Or RecordData = """ & strQuery & """")
	if objRRs.Count < 1 then
	   WScript.Echo "No matches found for " & strHostName & " of " _
	                & strRecordType & " type"
	else
	   for each objRR in objRRs
	      WScript.Echo objRR.TextRepresentation
	   next
	end if

Discussion

Using a command-line interface

You can leave off the -type switch, and the command will find any A, PTR, and CNAME records that match <RecordName>.

You can also run nslookup from interactive mode, which can be entered by typing nslookup at a command prompt with no additional parameters, or switch back and forth between query types by using the q=ANY command to reset nslookup.

Using VBScript

In the VBScript solution, a WQL query was used to find all matching resource records. This is a good example of how powerful the DNS WMI Provider can be. The query attempts to find any object of the MicrosoftDNS_ResourceRecord class that has an OwnerName, DomainName, or RecordData field equal to the <RecordName>. This is not the most efficient query if the server supports multiple large zones, so you may want to restrict it to search for specific types of records by adding criteria to match RecordType = <Type>.

Problem

You want to create and delete resource records in a zone.

Solution

Using a graphical user interface

1. Open the DNS Management snap-in.
2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select “Connect to DNS Server.” Select “This computer” or “The following computer,” then enter the server you want to connect to (if applicable) and click OK.
3. If you want to add or delete a record in a forward zone, expand the Forward Lookup Zone folder. If you want to add or delete a record for a reverse zone, expand the Reverse Lookup Zone folder.

To create a resource record, do the following:

1. In the left pane, right-click the zone and select the option that corresponds to the record type you want to createe.g., New Host (A).
2. Fill in all required fields.
3. Click OK.

To delete a resource record, do the following:

1. In the left pane, click on the zone the record is in.
2. In the right pane, right-click on the record you want to delete and select Delete.
3. Click Yes to confirm.

Using a command-line interface

To add a resource record, use the following command:

> dnscmd <DNSServerName> /recordadd <ZoneName> <NodeName> <RecordType> <RRData>

The following command adds an A record in the rallencorp.com zone:

> dnscmd dc1 /recordadd rallencorp.com wins01 A 19.25.52.2.25

To delete a resource record, use the following command:

> dnscmd <DNSServerName> /recorddelete <ZoneName> <NodeName> <RecordType> <RRData>

The following command deletes an A record in the rallencorp.com zone:

> dnscmd dc1 /recorddelete rallencorp.com wins01 A 19.25.52.2.25

Using VBScript

‘ This code shows how to add an A record and PTR record using

‘ the DNS WMI Provider.

‘ —— SCRIPT CONFIGURATION ——

strForwardRRAdd = “test-xp.rallencorp.com. IN A 192.32.64.13”

strReverseRRAdd = “13.64.32.192.in-addr.arpa IN PTR test-xp.rallencorp.com”

strForwardDomain = “rallencorp.com”

strReverseDomain = “192.in-addr.arpa.”

‘ —— END CONFIGURATION ——–

set objDNS = GetObject(“winMgmts:root\MicrosoftDNS”)

set objRR = objDNS.Get(“MicrosoftDNS_ResourceRecord”)

set objDNSServer = objDNS.Get(“MicrosoftDNS_Server.Name=””.”””)

‘ Create the A record

strNull = objRR.CreateInstanceFromTextRepresentation( _

objDNSServer.Name, _

strForwardDomain, _

strForwardRRAdd, _

objOutParam)

set objRR2 = objDNS.Get(objOutParam)

WScript.Echo “Created Record: ” & objRR2.TextRepresentation

‘ Create the PTR record

strNull = objRR.CreateInstanceFromTextRepresentation( _

objDNSServer.Name, _

strReverseDomain, _

strReverseRRAdd, _

objOutParam)

set objRR2 = objDNS.Get(objOutParam)

WScript.Echo “Created Record: ” & objRR2.TextRepresentation

‘ This code shows how to delete an A and PTR record for the record

‘ we created in the previous example.

strHostName = “test-xp.rallencorp.com.”

set objDNS = GetObject(“winMgmts:root\MicrosoftDNS”)

set objDNSServer = objDNS.Get(“MicrosoftDNS_Server.Name=””.”””)

set objRRs = objDNS.ExecQuery(” select * ” & _

” from MicrosoftDNS_ResourceRecord ” & _

” where OwnerName = “”” & strHostName & “””” & _

” Or RecordData = “”” & strHostName & “”””)

if objRRs.Count < 1 then

WScript.Echo “No matches found for ” & strHostName

else

for each objRR in objRRs

objRR.Delete_

WScript.Echo “Deleted ” & objRR.TextRepresentation

next

end if

Discussion

Using a graphical user interface

The DNS Management snap-in is good for creating a small number of records, but if you need to add or delete more than a couple of dozen, then we’d recommend writing a batch file around dnscmd or using the DNS WMI Provider to automate the process.

Using a command-line interface

Adding A, CNAME, and PTR resource records is pretty straightforward as far as the data you must enter, but other record types, such as SRV, require quite a bit more data. The help pages for /recordadd and /recorddelete display the required information for each record type. For example, to add an SRV record using dnscmd, you need to specify the priority, weight, port, and hostname of the record as in the following example:

> dnscmd /recordadd dc1.rallencorp.com SRV 50 100 88 _kerberos

Using VBScript

The first example creates A and PTR records using the CreateInstanceFrom TextRepresentation method, which is a MicrosoftDNS_ResourceRecord method that allows you to create resource records by passing in the textual version of the record. This is the textual representation of the A record used in the example:

test-xp.rallencorp.com IN A 192.32.64.13

The first parameter to this method is the DNS server name, the second is the name of the domain to add the record to, the third is the resource record, and the last is an out parameter that returns a reference to the new resource record.

The second example finds all resource records that match a certain hostname and deletes them. This is done by first using a WQL query to find all resource records where the OwnerName equals the target hostname (this will match any A records) and where RecordData equals the target hostname (this will match any PTR records). The Delete_ method is called on each matching record, removing them from the DNS server.

Problem

You want to delegate control of managing the resource records in a zone.

Solution

Using a graphical user interface

Using a command-line interface

The following command grants full control over managing the resource records in an AD-Integrated zone:

	> dsacls dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN> /G
	<UserOrGroup>:GA;;

Using VBScript

	' This code grants full control for the specified user or group over
	' an AD-Integrated zone.
	' ------ SCRIPT CONFIGURATION -------
	strZoneDN = "dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN>"
	strUserOrGroup = "<UserOrGroup>" ' e.g. joe@rallencorp.com or RALLENCORP\joe
	' ------ END CONFIGURATION ---------

	set objZone = GetObject("LDAP://" & strZoneDN)
	'############################
	' Constants
	'############################
	' ADS_ACETYPE_ENUM
	Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5

	' ADS_FLAGTYPE_ENUM
	Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1

	' ADS_RIGHTS_ENUM
	Const ADS_RIGHT_GENERIC_ALL = &h10000000

	'############################
	' Create ACL
	'############################

	set objSD = objZone.Get("nTSecurityDescriptor")
	set objDACL = objSD.DiscretionaryAcl

	' Full Control
	set objACE1 = CreateObject("AccessControlEntry")
	objACE1.Trustee    = strUserOrGroup
	objACE1.AccessMask = ADS_RIGHT_GENERIC_ALL
	objACE1.AceFlags   = 0
	objACE1.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT
	objACE1.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

	objDACL.AddAce objACE1

	'############################
	' Set ACL
	'############################
	objSD.DiscretionaryAcl = objDACL
	objZone.Put "nTSecurityDescriptor", objSD
	objZone.SetInfo
	WScript.Echo "Delegated  
control of " & strZoneDN & " to " & strUserOrGroup

Discussion

By default, members of the DNSAdmins group have control over DNS server and zone configuration. You can delegate control of individual AD-integrated zones by modifying permissions on the zone object in AD. The solutions show examples for how to grant Full Control to an additional user or group over a particular zone.

Problem

You want to configure forwarding to allow for name resolution outside of your corporate network.

Solution

Using a graphical user interface

Using a command-line interface

The following command sets the default forwarders. Replace <IPsOfForwarders> with a space-separated list of IP addresses for the nameservers to forward requests to.

	>  
dnscmd <ServerName> /resetforwarders <IPsOfForwaders>

For example:

	> dnscmd dns01 /resetforwarders 10.22.3.4 10.22.3.5

The following command creates a domain-based forwarder:

	> dnscmd <ServerName> /zoneadd <DomainName> /forwarder <IPsOfForwarders>

The following command configures the default forwarder timeout:

	> dnscmd <ServerName> /config / 
forwardingtimeout <NumSeconds>

The following command configures the forwarder timeout for a specific domain:

	> dnscmd <ServerName> /config <DomainName> /forwardertimeout <NumSeconds>

Using VBScript

	' This code enumerates the default forwarders.
	' ------ SCRIPT CONFIGURATION ------
	strServer = "<ServerName> " ' e.g. dns1.rallencorp.com
	' ------ END CONFIGURATION --------

	set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")
	set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")
	for each strForwarder in objDNSServer.Forwarders
	   Wscript.Echo strForwarder
	Next

	' This code sets the default forwarders.
	' ------ SCRIPT CONFIGURATION ------
	strServer = "<ServerName>" ' e.g. dns1.rallencorp.com
	arrForwarders = Array("<IP1>","<IP2>")
	' ------ END CONFIGURATION --------

	set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")
	set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")
	objDNSServer.Forwarders = arrForwarders
	objDNSServer.Put_
	Wscript.Echo "Successfully set default forwarders"
	' This code sets the  
forwarders for a specific domain.
	' ------ SCRIPT CONFIGURATION ------
	strServer = "<ServerName>" ' e.g.  
dns01
	strNewZone = "<ZoneName>"  ' e.g. othercorp.com
	arrMasterIPs = Array("<IP1>","<IP2>") ' replace <IPx> with IPs of master server
	' ------ END CONFIGURATION --------
	on error resume next
	set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")
	set objDNSZone = objDNS.Get("MicrosoftDNS_Zone")
	strNull = objDNSZone.CreateZone(strNewZone,3,false,"",arrMasterIPs)
	if Err then
	   WScript.Echo "Error occurred creating zone: " & Err.Description
	else
	   WScript.Echo "Domain forwarder created."
	end if

Discussion

Nameservers have long supported the notion of forwarders. Rather than sending all unresolved queries to the root Internet nameservers, you can use forwarders to send queries to a specific server or set of servers, perhaps hosted by your ISP or by a partner corporation. This allows you to better control the name resolution process on your network.

Microsoft has extended this capability in Windows Server 2003 to support conditional forwarding. With conditional forwarding, you can forward unresolved queries for specific domains to different nameservers. The most common use of conditional forwarding is when you have two or more noncontiguous namespaces. Consider, for example, a merger between the rallencorp.com and othercorp.com corporations. Normally, for the nameservers of rallencorp.com to resolve queries for othercorp.com, the queries would have to first be forwarded to the root Internet nameservers. With conditional forwarding, you can configure the rallencorp.com DNS servers so that all requests for othercorp.com should be sent directly to the othercorp.com nameservers and all other unresolved queries should be sent to the Internet, and vice versa. The trade-off for this feature is the additional CPU processing that’s necessary to examine each query and forward it to the appropriate server, rather than just funneling all unresolved queries to a single external server.

Problem

You want to enable zone transfers to specific secondary nameservers.

Solution

Using a graphical user interface

1. Open the DNS snap-in.
2. In the left pane, expand the server node and expand either Forward Lookup Zone or Reverse Lookup Zone depending on the type of zone you want to manage.
3. Right-click on the zone and select Properties.
4. Select the Zone Transfers tab.
5. Select either the option to restrict zone transfers to those servers listed on the Name Servers tab or the option to restrict zone transfers to specific IP addresses. See the “Discussion” section for more on these two options.

Using a command-line interface

The following command enables zone transfers for the test.local zone and specifies they can only occur with servers that have NS records in the zone (i.e., servers listed within the Name Servers tab of the DNS snap-in):

> dnscmd <ServerName> /ZoneResetSecondaries test.local /SecureNs

The next command enables zone transfers for same zone, but specifies they can only occur with hosts whose IP addresses are 172.16.22.33 and 172.16.22.34:

> dnscmd <ServerName> /ZoneResetSecondaries test.local /SecureList 172.16.22.33

172.16.22.34

Using VBScript

‘ This code creates a nameserver (NS) record on a DNS server.

strDNSServer = “<servername>”

strContainer = “<containername>”

strOwner = “<ownername>”

intRecordClass = 1

intTTL = 600

strNSHost = “<nameservername>”

strComputer = “.”

set objWMIService = GetObject _

(“winmgmts:\\” & strComputer & “\root\MicrosoftDNS”)

set objItem = objWMIService.Get(“MicrosoftDNS_NSType”)

errResult = objItem.CreateInstanceFromPropertyData _

(strDNSServer, strContainer, strOwner, intRecordClass, intTTL, strNSHost)

‘ This code configures the allowed secondaries for zone transfer and notify

‘ XFR constants

const ZONE_SECSECURE_NO_SECURITY = 0

const ZONE_SECSECURE_NS_ONLY = 1

const ZONE_SECSECURE_LIST_ONLY = 2

const ZONE_SECSECURE_NO_XFR = 3

‘ NOTIFY constants

const ZONE_NOTIFY_OFF = 0

const ZONE_NOTIFY_ALL_SECONDARIES = 1

const ZONE_NOTIFY_LIST_ONLY = 2

‘ —— SCRIPT CONFIGURATION ——-

strZone = “<ZoneName>” ‘ e.g. rallencorp.com

strServer = “<ServerName>” ‘ e.g. dc1.rallencorp.com

‘ use one of the above XFR constants

intSecureSecondaries = ZONE_SECSECURE_LIST_ONLY

arrSecondaries = Array(“1.1.1.2″,”1.1.1.3”)

‘ use one of the above NOTIFY constants

intNotify = ZONE_NOTIFY_LIST_ONLY

arrNotify = Array(“<IP1>“,”<IP2>“)

‘ —— END CONFIGURATION ———

set objDNS = GetObject(“winMgmts:\\” & strServer & “\root\MicrosoftDNS”)

set objDNSServer = objDNS.Get(“MicrosoftDNS_Server.Name=””.”””)

set objDNSZone = objDNS.Get(“MicrosoftDNS_Zone.ContainerName=””” & _

strZone & “””,DnsServerName=””” & _

objDNSServer.Name & “””,Name=””” & strZone & “”””)

strNull = objDNSZone.ResetSecondaries(arrSecondaries,intSecureSecondaries, _

arrNotify,intNotify)

objDNSZone.Put_

WScript.Echo “Updated secondaries for zone transfer and notify”

Discussion

Depending on your environment, your DNS implementation may require that you create secondary zones to allow for load balancing for busy DNS servers or remote sites connected by slow links. In this situation, you want to allow zone transfers to occur between your AD-integrated DNS servers and your secondary servers, but you want to restrict which hosts can initiate zone transfers with your AD-integrated nameservers. Allowing anyone to initiate a zone transfer with your domain controllers could provide an attacker with information for mapping out your network; it is therefore critical that you limit which hosts can pull zone transfers from your servers.

If you are using only Active Directoryintegrated zones, the Name Servers tab will be automatically populated with a list of all nameservers that are authoritative for the selected zone, and this is the recommended choice when you have a large network with many nameservers deployed. If any of your nameservers are using standard zone files, however, you will need to populate this tab manually for any secondary nameservers you deploy.

Specifying a list of IP addresses for hosts that can initiate zone transfers may be more secure since it is more specific, but this approach has the trade-off of adding the additional management overhead of keeping track of the IP addresses of all nameservers on your network, so you should follow this approach only if your network is small and you have relatively few nameservers deployed. Another disadvantage of this approach is that if you forget to add some IP addresses of nameservers to your list, zone information stored on those servers could become stale, causing name resolution to fail for some of your clients. This could result in some of your users experiencing difficulties in accessing network resources.

Note that on Windows 2000 nameservers, the default setting is to allow zone transfers with any host that requests them. This setting is inherently insecure as it allows attackers to use nslookup to display all resource records on your servers, so be sure to use the steps outlined in this recipe to change the setting on your servers to one of the two settings described here. Windows Server 2003 DNS is more secure by default because in the case of file-based zones, it is configured to allow zone transfers only with servers listed on the Name Servers tab of a zone. In the case of Active Directoryintegrated zones, it is configured to disallow zone transfers entirely since they generally aren’t needed in an Active Directory environment.

Problem

You want to convert a standard primary zone to an AD-integrated zone. This causes the contents of the zone to be stored and replicated in Active Directory instead of in a text file on the local server.

Solution

Using a graphical user interface

1. Open the DNS Management snap-in.
2. Right-click on DNS in the left pane and select “Connect to DNS Server.”
3. Enter the server you want to connect to and click Enter.
4. If you want to convert a forward zone, expand the Forward Lookup Zone folder. If you want to convert a reverse zone, expand the Reverse Lookup Zone folder.
5. Right-click on the zone you want to convert and select Properties.
6. Beside Type, click the Change button.
7. Check the box beside “Store the zone in Active Directory.”
8. Click OK twice.

Using a command-line interface

> dnscmd <ServerName> /zoneresettype <ZoneName> /DsPrimary

Using VBScript

‘ This code converts a zone to AD-integrated.

‘ —— SCRIPT CONFIGURATION ——

strZone = “<ZoneName>”     ‘ e.g. rallencorp.com

strServer = “<ServerName>” ‘ e.g. dc1.rallencorp.com

‘ —— END CONFIGURATION ——–

set objDNS = GetObject(“winMgmts:\\” & strServer & “\root\MicrosoftDNS”)

set objDNSServer = objDNS.Get(“MicrosoftDNS_Server.Name=””.”””)

set objDNSZone = objDNS.Get(“MicrosoftDNS_Zone.ContainerName=””” & _

strZone & “””,DnsServerName=””” & _

objDNSServer.Name & “””,Name=””” & strZone & “”””)

strNull = objDNSZone.ChangeZoneType(0, True)

objDNSZone.Put_

WScript.Echo “Converted ” & strZone & ” to

AD-Integrated”

Problem

You want to view the zones on a server.

Solution

Using a graphical user interface

1. Open the DNS Management snap-in.
2. Right-click on DNS in the left pane and select “Connect to DNS Server.”
3. Enter the server you want to connect to and click Enter.
4. In the left pane, expand the server and click Forward Lookup Zones and Reverse Lookup Zones to view the hosted zones.

Using a command-line interface

> dnscmd <DNSServerName> /enumzones

Using VBScript

‘ This code lists the zones that are hosted by the specified server.

‘ —— SCRIPT CONFIGURATION ——

strServer = “<DNSServerName>” ‘ e.g. dc1.rallencorp.com

‘ —— END CONFIGURATION ——–

set objDNS = GetObject(“winMgmts:\\” & strServer & “\root\MicrosoftDNS”)

set objDNSServer = objDNS.Get(“MicrosoftDNS_Server.Name=””.”””)

set objZones = objDNS.ExecQuery(“Select * from MicrosoftDNS_Zone ” & _

“Where DnsServerName = ‘” & _

objDNSServer.Name & “‘”)

WScript.Echo “Zones on ” & objDNSServer.Name

for each objZone in objZones

WScript.Echo ” ” & objZOne.Name

next

Discussion

Using a graphical user interface

When you click on either the Forward Lookup Zones or Reverse Lookup Zones in the lefthand pane of the DMS MMC, the right pane contains a Type column that displays the zone type for each zone.

Using a command-line interface

When using the /enumzones switch without any more parameters, it displays all zones on the server. You can specify additional filters that limit the types of zones returned. With the Windows 2000 version of dnscmd, you can specify up to two filters (for example, using the /enumzones / primary / forward switch combination will display all primary forward zones on the server):

Filter1:

/Primary

/Secondary

/Cache

/Auto-Created

Filter2:

/Forward

/Reverse

With the Windows Server 2003 version of dnscmd, the filter behavior has changed. Instead of having two levels of criteria, you can specify one or more of the following:

/Primary

Lists both standard and Active Directoryintegrated primary zones

/Secondary

Lists all standard secondary zones

/Forwarder

Lists all zones that forward unresolvable queries to another DNS server

/Stub

Lists all stub zones hosted on a server

/Cache

Lists zones that are loaded into cache on the server

/Auto-Created

Lists zones that were created automatically during the DNS server installation

/Forward

Lists all forward lookup zones

/Reverse

Lists all reverse lookup zones

/Ds

Lists all Active Directoryintegrated zones

/File

Lists zones that are stored in text files

/DomainDirectoryPartition

Lists zones that are stored in the DomainDNSZones partition

/ForestDirectoryPartition

Lists zones that are stored in the ForestDNSZones partition

/CustomDirectoryPartition

Lists zones that are stored in a user-created directory partition

/LegacyDirectoryPartition

Lists zones that are stored in the domain NC

/DirectoryPartition <PartitionName>

Lists zones that are stored in a particular application partition

Using VBScript

A WQL query was used to find all MicrosoftDNS_Zone objects. You can add additional criteria to the WQL Select statement to return a subset of zones supported on the server.

Creating a Reverse Lookup Zone

Problem

You want to create a reverse lookup zone. A reverse lookup zone maps IP addresses to names.

Solution

Using a graphical user interface

1. Open the DNS Management snap-in.
2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select “Connect to DNS Server.” Select “This computer” or “The following computer,” then enter the server you want to connect to (if applicable) and click OK.
3. Expand the server in the left pane and click on Reverse Lookup Zones.
4. Right-click on Reverse Lookup Zones and select New Zone.
5. Click Next.
6. Select the zone type (Primary, Secondary, or Stub zone). To AD-integrate the zone, place a check mark next to “Store the zone in Active Directory (available only if DNS server is a domain controller)” and click Next.
7. If you selected to store the zone data in Active Directory, next you will be asked which servers you want to replicate the DNS data to: all DNS servers in the forest, all DNS servers in the domain, all domain controllers in the domain, or all DCs that are hosting a particular application partition. Click Next after you make your selection.

Step 7 applies only to DNS servers that are installed on Windows Server 2003 domain controllers. If you still have Windows 2000 DNS servers in your environment, choose the option of replicate the zone to all domain controllers in your domain.

2. Type the Network ID for the reverse zone or enter a reverse zone name to use.
3. Fill out the information for the remaining screens. They will vary depending on if you are creating a primary, secondary, or stub zone.

Using a command-line interface

The following command creates an AD-integrated reverse zone:

> dnscmd <DNSServerName> /zoneadd <ZoneName> /DsPrimary

Using VBScript

‘ This code creates an

AD-integrated reverse zone.

‘ —— SCRIPT CONFIGURATION ——

strServer = “<DNSServerName>” ‘ e.g. dc1.rallencorp.com

strNewZone = “<ZoneName>” ‘ e.g. 8.10.192.in-addr.arpa.

‘ —— END CONFIGURATION ——–

set objDNS = GetObject(“winMgmts:\\” & strServer & “\root\MicrosoftDNS”)

set objDNSZone = objDNS.Get(“MicrosoftDNS_Zone”)

strNull = objDNSZone.CreateZone(strNewZone, 0 , True)

WScript.Echo “Created zone ” & strNewZone

Discussion

Creating a reverse zone is very similar to creating a forward zone.

Creating a Forward Lookup Zone

Problem

You want to create a forward lookup zone. A forward lookup zone maps FQDNs to IP addresses or other names.

Solution

Using a graphical user interface

1. Open the DNS Management snap-in.
2. If an entry for the DNS server you want to connect to do not exist, right-click on DNS in the left pane and select “Connect to DNS Server.” Select “This computer” or “The following computer,” enter the server you want to connect to (if applicable), and click OK.
3. Expand the server in the left pane and click on Forward Lookup Zones.
4. Right-click on Forward Lookup Zones and select New Zone.
5. Click Next.
6. Select the zone type and click Next.
7. If you selected to store the zone data in Active Directory, next you will be asked which servers you want to replicate the DNS data to. Click Next after you make your selection.

Step 7 applies only to DNS servers that are installed on Windows Server 2003 domain controllers. If you still have Windows 2000 DNS servers in your environment, choose the option to replicate the zone to all domain controllers in your domain.

2. Enter the zone name and click Next.
3. Fill out the information for the remaining screens. They will vary depending on whether you are creating a primary, secondary, or stub zone.

Using a command-line interface

The following command creates an AD-integrated zone:

> dnscmd <DNSServerName> /zoneadd <ZoneName> /DsPrimary

Using VBScript

‘ This code creates an AD-integrated forward zone.

‘ —— SCRIPT CONFIGURATION ——

strServer = “<DNSServerName>” ‘ e.g. dc1.rallencorp.com

strNewZone = “<ZoneName>”     ‘ e.g. othercorp.com

‘ —— END CONFIGURATION ——–

set objDNS = GetObject(“winMgmts:\\” & strServer & “\root\MicrosoftDNS”)

set objDNSZone = objDNS.Get(“MicrosoftDNS_Zone”)

strNull = objDNSZone.CreateZone(strNewZone, 0 , True)

WScript.Echo “Created zone ” & strNewZone

Discussion

Using a command-line interface

When you create an AD-integrated zone with the /DsPrimary switch, you can additionally include a /dp switch and specify an application partition to add the zone to. Here is an example:

> dnscmd /zoneadd <ZoneName> /DsPrimary /dp domaindnszones.rallencorp.com

Using VBScript

The DNS WMI Provider is Microsoft’s first comprehensive DNS API. You can create and modify zones, query and manage resource records, and manipulate DNS server configuration. In the VBScript solution, the CreateZone method of the MicrosoftDNS_Zone class was used to create the forward zone. The DNS WMI Provider is available only for Windows Server 2003 DNS; it cannot be used on Windows 2000 DNS servers.