IgNiTeD SoUL

Problem

You want to manually deregister a domain controller’s resource records.

Solution

Using a command-line interface

With the following nltest command, replace <DomainControllerName> with the FQDN of the domain controller you want to deregister and <DomainDNSName> with the FQDN of the domain of which the domain controller is a member:

	 
> nltest /dsderegdns: 
<DomainControllerName> /dom:<DomainDNSName>

Discussion

When a domain controller is demoted from a domain, it dynamically deregisters its resource records. This is a nice feature of the demotion process because it means you do not have to manually remove all of the resource records or wait for scavenging to remove them. If, however, you have a domain controller that crashes and you do not plan on bringing it back online, you’ll need to remove the records manually or wait for the scavenging process to take place.

You can use the DNS Mgmt MMC snap-in and even the dnscmd.exe utility to manually remove them one by one, or you can use nltest, as shown in the solution.

The /dsderegdns switch also has /DomGUID and /DsaGUID options if you want to delete the records that are based on the domain GUID and DSA GUID, respectively. You need to know the actual GUIDs of the domain and domain controller to use those switches, so if you don’t have them handy, it would be easier to delete them using the DNS Management MMC snap-in.

Problem

You want to manually force registration of a domain controller’s resource records. This may be necessary if you’ve made some configuration changes on your DNS servers to allow your domain controllers to start dynamically registering resource records.

Solution

Using a command-line interface

	> nltest /dsregdns /server:<DomainControllerName>

Discussion

The Windows Server 2003 version of nltest provides a /dsregdns switch that allows you to force registration of the domain-controller-specific resource records. You can also force reregistration of its resource records by restarting the NetLogon service on the domain controller. The NetLogon service automatically attempts to reregister a domain controller’s resource records every hour, so if you can wait that long, you do not need to use nltest.

Problem

You want to enable DNS debug logging to troubleshoot issues related to DNS queries or updates.

Solution

Using a graphical user interface

Using a command-line interface

Use the following four commands to enable debug logging. For the log level, you have to add together the event codes you want logged and specify the result in hex. The available event codes can be found in Table 14-3.

	> dnscmd <ServerName> /Config /LogLevel <EventFlagSumInHex>

Use the following command to specify the location of the logfile:

	> dnscmd <ServerName> /Config /LogFilePath <DirectoryAndFilePath>

Use the following command to log only entries that pertain to certain IP addresses:

	> dnscmd <ServerName> /Config /LogIPFilterList <IPAddress1>[,<IPAddress2>…]

Use the following command to specify the maximum logfile size:

	> dnscmd <ServerName> /Config /LogFileMaxSize <NumberOfBytesInHex>

Use the following command to disable debug logging:

	> dnscmd <ServerName> /Config /LogLevel 0

Using VBScript

	' This code enables  
DNS debug logging.
	' ------ SCRIPT CONFIGURATION -------
	strServer = "<ServerName>" ' e.g. dc1
	' The log level must be in decimal, not hex like dnscmd
	intLogLevel = <EventFlagSumInDecimal> ' e.g. 65535
	arrFilterList = Array("<IPAddress1>") ' e.g. 192.168.1.12
	strFilePath = <DirectoryAndFilePath> ' e.g. c:\dnslog.txt
	intFileSize = <NumberOfBytesInDecimal> ' e.g. 50000000
	' ------ END CONFIGURATION ---------

	set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")
	set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")
	objDNSServer.LogLevel = intLogLevel
	objDNSServer.LogIPFilterList = arrFilterList

	 
objDNSServer. 
LogFilePath = strFilePath
	objDNSServer.LogFileMaxSize = intFileSize
	objDNSServer.Put_
	WScript.Echo "Enabled DNS  
Debug Logging on " & strServer

	' To disable  
debug logging, set the intLogLevel variable to 0

Discussion

With the DNS Server debug log, you can record all DNS operations received and initiated by the server, including queries, updates, zone transfers, etc. If you need to troubleshoot a particular host, you can use the LogIPFilterList setting in dnscmd or the WMI DNS Provider to restrict the log to operations performed only for or by that host.

The most important debug log setting is the log level. With the DNS snap-in, you can select from a list of available options. With Windows Server 2003, the DNS snap-in provides an intuitive interface for selecting the required options. On Windows 2000, you are presented with a list of checkboxes and you have to figure out which ones need to be used in conjunction with one another. You have a similar issue with CLI and VBScript solutions, where you need to determine what log level you want to set.

Table contains all of the event codes with their hexadecimal and decimal values.

Table . DNS debug logging event codes

Hexadecimal value	Decimal value	Descriptions
0x0	0	No logging. This is the default.
0x1	1	Query transactions.
0x10	16	Notifications transactions.
0x20	32	Update transactions.
0xFE	254	Nonquery transactions.
0x100	256	Question packets.
0x200	512	Answer packets.
0x1000	4096	Send packets.
0x2000	8192	Receive packets.
0x4000	16384	UDP packets.
0x8000	32768	TCP packets.
0xFFFF	65535	All packets.
0x10000	65536	AD write transactions.
0x20000	131072	AD update transactions.
0x1000000	16777216	Full packets.
0x80000000	2147483648	Write-through transactions.

DNS debug logging can come in handy if you want to look at the dynamic update requests a particular DNS Server is processing. For example, if a client or DHCP server is attempting to dynamically register records, you can enable the Update Transactions log category on the DNS Server you think should be processing the updates. If you don’t see any update transactions, this can indicate that another server is processing the dynamic update requests.

Problem

You want to clear the DNS cache. The DNS cache contains resource records that are cached by the server or workstation for a period of time in memory so that repeated requests for the same record can be returned immediately. There are two types of DNS cache. One pertains to the cache on the Windows DNS client resolver (this can refer to both server and workstation operating systems when they are requesting DNS information from a server), and the other refers to the cache used by the Microsoft DNS server software.

Solution

To flush the client resolver cache, use the following command:

	 
>  
ipconfig /flushdns

To flush the DNS server cache, use any of the following solutions.

Using a graphical user interface

Using a command-line interface

The following command will clear the cache on <DNSServerName>. You can leave out the <DNSServerName> parameter to simply run the command against the local server:

	> dnscmd <DNSServerName> /clearcache

Using VBScript

	' This code clears the DNS server cache on the specified server.
	' ------ SCRIPT CONFIGURATION ------
	strServer = "<DNSServerName>" ' e.g. dc1.rallencorp.com
	' ------ END CONFIGURATION --------

	set objDNS = GetObject("winmgmts:\\" & strServer & "\root\MicrosoftDNS")
	set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")
	set objDNSCache = objDNS.Get("MicrosoftDNS_Cache.ContainerName=""..Cache""" & _
	                             ",DnsServerName=""" & objDNSServer.Name & _
	                             """,Name=""..Cache""")
	objDNSCache.ClearCache
	WScript.Echo "Cleared server cache"

Discussion

The client resolver cache is populated whenever a DNS lookup is performed on a workstation or server (e.g., with nslookup). It’s important to remember that this cache will store both positive DNS responses as well as negative ones. For example, if lost network connectivity causes DNS queries for an external resource like a mail server to fail, those queries will continue to fail until the cache refreshes: the queries have been negatively cached.

The second type of cache is in place only on Microsoft DNS servers. It is a cache of all DNS requests that the server has made while processing queries from various clients. You can view this cache by browsing the Cached Lookups folder for a server in the DNS Management snap-in. This folder is not shown by default, so you’ll need to select Advanced from the View menu.

With both the client and server cache, records are removed from the cache after the record’s TTL value expires. The TTL is used to age records so that clients and servers will request an updated copy of the record at a later point in order to receive any changes that may have occurred.

Problem

You want to modify the DNS Server settings.

Solution

Using a graphical user interface

Using a command-line interface

With the following command, replace <Setting> with the name of the setting to modify and <Value> with the value to set:

	> dnscmd <DNSServerName> /config /<Setting> <Value>

The following command enables the EnableDnsSec setting on dns01:

	> dnscmd dns01 /config /EnableDnsSec 1

The following command disables the NoTcp setting on the local host:

	> dnscmd /config /NoTcp 0

The following command sets the DsPollingInterval setting to 60 on dns02:

	> dnscmd dns02 /config /DsPollingInterval 60

For the complete list of settings, run dnscmd /config from the command-line.

Using VBScript

	set objDNS = GetObject("winMgmts:root\MicrosoftDNS")
	set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")
	objDNSServer.<Setting> = <Value> ' e.g. objDNSServer.AllowUpdate = TRUE
	objDNSServer.Put_

Discussion

The Microsoft DNS server supports a variety of settings to configure everything from scavenging and forwarders to logging. With the DNS Management snap-in, the settings are spread over several tabs in the Properties property page. You can get a list of these settings by simply running dnscmd /config from a command line. For the CLI and VBScript solutions, the setting names are nearly identical. In the VBScript solution, be sure to call the Put_ method after you are done configuring settings in order for the changes to take effect.

Problem

You want to query resource records.

Solution

Using a graphical user interface

The DNS Management snap-in does not provide an interface for searching resource records.

Using a command-line interface

In the following command, replace <RecordType> with the type of resource record you want to find (e.g., A, CNAME, SRV) and <RecordName> with the name or IP address of the record to match:

	> nslookup -type=<RecordType> <RecordName>

Using VBScript

	' This code prints the  
resource records that match
	' the specified name.
	' ------ SCRIPT CONFIGURATION ------
	strQuery = "<RecordName>"
	' ------ END CONFIGURATION --------

	 
set objDNS = GetObject("winMgmts:root\MicrosoftDNS")
	set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")
	set objRRs = objDNS.ExecQuery(" select * " & _
	                              " from MicrosoftDNS_ResourceRecord" & _
	                              " where OwnerName = """ & strQuery & """" & _
	                              " Or DomainName = """ & strQuery & """" & _
	                              " Or RecordData = """ & strQuery & """")
	if objRRs.Count < 1 then
	   WScript.Echo "No matches found for " & strHostName & " of " _
	                & strRecordType & " type"
	else
	   for each objRR in objRRs
	      WScript.Echo objRR.TextRepresentation
	   next
	end if

Discussion

Using a command-line interface

You can leave off the -type switch, and the command will find any A, PTR, and CNAME records that match <RecordName>.

You can also run nslookup from interactive mode, which can be entered by typing nslookup at a command prompt with no additional parameters, or switch back and forth between query types by using the q=ANY command to reset nslookup.

Using VBScript

In the VBScript solution, a WQL query was used to find all matching resource records. This is a good example of how powerful the DNS WMI Provider can be. The query attempts to find any object of the MicrosoftDNS_ResourceRecord class that has an OwnerName, DomainName, or RecordData field equal to the <RecordName>. This is not the most efficient query if the server supports multiple large zones, so you may want to restrict it to search for specific types of records by adding criteria to match RecordType = <Type>.

Problem

You want to create and delete resource records in a zone.

Solution

Using a graphical user interface

1. Open the DNS Management snap-in.
2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS in the left pane and select “Connect to DNS Server.” Select “This computer” or “The following computer,” then enter the server you want to connect to (if applicable) and click OK.
3. If you want to add or delete a record in a forward zone, expand the Forward Lookup Zone folder. If you want to add or delete a record for a reverse zone, expand the Reverse Lookup Zone folder.

To create a resource record, do the following:

1. In the left pane, right-click the zone and select the option that corresponds to the record type you want to createe.g., New Host (A).
2. Fill in all required fields.
3. Click OK.

To delete a resource record, do the following:

1. In the left pane, click on the zone the record is in.
2. In the right pane, right-click on the record you want to delete and select Delete.
3. Click Yes to confirm.

Using a command-line interface

To add a resource record, use the following command:

> dnscmd <DNSServerName> /recordadd <ZoneName> <NodeName> <RecordType> <RRData>

The following command adds an A record in the rallencorp.com zone:

> dnscmd dc1 /recordadd rallencorp.com wins01 A 19.25.52.2.25

To delete a resource record, use the following command:

> dnscmd <DNSServerName> /recorddelete <ZoneName> <NodeName> <RecordType> <RRData>

The following command deletes an A record in the rallencorp.com zone:

> dnscmd dc1 /recorddelete rallencorp.com wins01 A 19.25.52.2.25

Using VBScript

‘ This code shows how to add an A record and PTR record using

‘ the DNS WMI Provider.

‘ —— SCRIPT CONFIGURATION ——

strForwardRRAdd = “test-xp.rallencorp.com. IN A 192.32.64.13”

strReverseRRAdd = “13.64.32.192.in-addr.arpa IN PTR test-xp.rallencorp.com”

strForwardDomain = “rallencorp.com”

strReverseDomain = “192.in-addr.arpa.”

‘ —— END CONFIGURATION ——–

set objDNS = GetObject(“winMgmts:root\MicrosoftDNS”)

set objRR = objDNS.Get(“MicrosoftDNS_ResourceRecord”)

set objDNSServer = objDNS.Get(“MicrosoftDNS_Server.Name=””.”””)

‘ Create the A record

strNull = objRR.CreateInstanceFromTextRepresentation( _

objDNSServer.Name, _

strForwardDomain, _

strForwardRRAdd, _

objOutParam)

set objRR2 = objDNS.Get(objOutParam)

WScript.Echo “Created Record: ” & objRR2.TextRepresentation

‘ Create the PTR record

strNull = objRR.CreateInstanceFromTextRepresentation( _

objDNSServer.Name, _

strReverseDomain, _

strReverseRRAdd, _

objOutParam)

set objRR2 = objDNS.Get(objOutParam)

WScript.Echo “Created Record: ” & objRR2.TextRepresentation

‘ This code shows how to delete an A and PTR record for the record

‘ we created in the previous example.

strHostName = “test-xp.rallencorp.com.”

set objDNS = GetObject(“winMgmts:root\MicrosoftDNS”)

set objDNSServer = objDNS.Get(“MicrosoftDNS_Server.Name=””.”””)

set objRRs = objDNS.ExecQuery(” select * ” & _

” from MicrosoftDNS_ResourceRecord ” & _

” where OwnerName = “”” & strHostName & “””” & _

” Or RecordData = “”” & strHostName & “”””)

if objRRs.Count < 1 then

WScript.Echo “No matches found for ” & strHostName

else

for each objRR in objRRs

objRR.Delete_

WScript.Echo “Deleted ” & objRR.TextRepresentation

next

end if

Discussion

Using a graphical user interface

The DNS Management snap-in is good for creating a small number of records, but if you need to add or delete more than a couple of dozen, then we’d recommend writing a batch file around dnscmd or using the DNS WMI Provider to automate the process.

Using a command-line interface

Adding A, CNAME, and PTR resource records is pretty straightforward as far as the data you must enter, but other record types, such as SRV, require quite a bit more data. The help pages for /recordadd and /recorddelete display the required information for each record type. For example, to add an SRV record using dnscmd, you need to specify the priority, weight, port, and hostname of the record as in the following example:

> dnscmd /recordadd dc1.rallencorp.com SRV 50 100 88 _kerberos

Using VBScript

The first example creates A and PTR records using the CreateInstanceFrom TextRepresentation method, which is a MicrosoftDNS_ResourceRecord method that allows you to create resource records by passing in the textual version of the record. This is the textual representation of the A record used in the example:

test-xp.rallencorp.com IN A 192.32.64.13

The first parameter to this method is the DNS server name, the second is the name of the domain to add the record to, the third is the resource record, and the last is an out parameter that returns a reference to the new resource record.

The second example finds all resource records that match a certain hostname and deletes them. This is done by first using a WQL query to find all resource records where the OwnerName equals the target hostname (this will match any A records) and where RecordData equals the target hostname (this will match any PTR records). The Delete_ method is called on each matching record, removing them from the DNS server.

Problem

You want to delegate control of managing the resource records in a zone.

Solution

Using a graphical user interface

Using a command-line interface

The following command grants full control over managing the resource records in an AD-Integrated zone:

	> dsacls dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN> /G
	<UserOrGroup>:GA;;

Using VBScript

	' This code grants full control for the specified user or group over
	' an AD-Integrated zone.
	' ------ SCRIPT CONFIGURATION -------
	strZoneDN = "dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN>"
	strUserOrGroup = "<UserOrGroup>" ' e.g. joe@rallencorp.com or RALLENCORP\joe
	' ------ END CONFIGURATION ---------

	set objZone = GetObject("LDAP://" & strZoneDN)
	'############################
	' Constants
	'############################
	' ADS_ACETYPE_ENUM
	Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5

	' ADS_FLAGTYPE_ENUM
	Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1

	' ADS_RIGHTS_ENUM
	Const ADS_RIGHT_GENERIC_ALL = &h10000000

	'############################
	' Create ACL
	'############################

	set objSD = objZone.Get("nTSecurityDescriptor")
	set objDACL = objSD.DiscretionaryAcl

	' Full Control
	set objACE1 = CreateObject("AccessControlEntry")
	objACE1.Trustee    = strUserOrGroup
	objACE1.AccessMask = ADS_RIGHT_GENERIC_ALL
	objACE1.AceFlags   = 0
	objACE1.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT
	objACE1.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

	objDACL.AddAce objACE1

	'############################
	' Set ACL
	'############################
	objSD.DiscretionaryAcl = objDACL
	objZone.Put "nTSecurityDescriptor", objSD
	objZone.SetInfo
	WScript.Echo "Delegated  
control of " & strZoneDN & " to " & strUserOrGroup

Discussion

By default, members of the DNSAdmins group have control over DNS server and zone configuration. You can delegate control of individual AD-integrated zones by modifying permissions on the zone object in AD. The solutions show examples for how to grant Full Control to an additional user or group over a particular zone.

Problem

You want to configure forwarding to allow for name resolution outside of your corporate network.

Solution

Using a graphical user interface

Using a command-line interface

The following command sets the default forwarders. Replace <IPsOfForwarders> with a space-separated list of IP addresses for the nameservers to forward requests to.

	>  
dnscmd <ServerName> /resetforwarders <IPsOfForwaders>

For example:

	> dnscmd dns01 /resetforwarders 10.22.3.4 10.22.3.5

The following command creates a domain-based forwarder:

	> dnscmd <ServerName> /zoneadd <DomainName> /forwarder <IPsOfForwarders>

The following command configures the default forwarder timeout:

	> dnscmd <ServerName> /config / 
forwardingtimeout <NumSeconds>

The following command configures the forwarder timeout for a specific domain:

	> dnscmd <ServerName> /config <DomainName> /forwardertimeout <NumSeconds>

Using VBScript

	' This code enumerates the default forwarders.
	' ------ SCRIPT CONFIGURATION ------
	strServer = "<ServerName> " ' e.g. dns1.rallencorp.com
	' ------ END CONFIGURATION --------

	set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")
	set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")
	for each strForwarder in objDNSServer.Forwarders
	   Wscript.Echo strForwarder
	Next

	' This code sets the default forwarders.
	' ------ SCRIPT CONFIGURATION ------
	strServer = "<ServerName>" ' e.g. dns1.rallencorp.com
	arrForwarders = Array("<IP1>","<IP2>")
	' ------ END CONFIGURATION --------

	set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")
	set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")
	objDNSServer.Forwarders = arrForwarders
	objDNSServer.Put_
	Wscript.Echo "Successfully set default forwarders"
	' This code sets the  
forwarders for a specific domain.
	' ------ SCRIPT CONFIGURATION ------
	strServer = "<ServerName>" ' e.g.  
dns01
	strNewZone = "<ZoneName>"  ' e.g. othercorp.com
	arrMasterIPs = Array("<IP1>","<IP2>") ' replace <IPx> with IPs of master server
	' ------ END CONFIGURATION --------
	on error resume next
	set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")
	set objDNSZone = objDNS.Get("MicrosoftDNS_Zone")
	strNull = objDNSZone.CreateZone(strNewZone,3,false,"",arrMasterIPs)
	if Err then
	   WScript.Echo "Error occurred creating zone: " & Err.Description
	else
	   WScript.Echo "Domain forwarder created."
	end if

Discussion

Nameservers have long supported the notion of forwarders. Rather than sending all unresolved queries to the root Internet nameservers, you can use forwarders to send queries to a specific server or set of servers, perhaps hosted by your ISP or by a partner corporation. This allows you to better control the name resolution process on your network.

Microsoft has extended this capability in Windows Server 2003 to support conditional forwarding. With conditional forwarding, you can forward unresolved queries for specific domains to different nameservers. The most common use of conditional forwarding is when you have two or more noncontiguous namespaces. Consider, for example, a merger between the rallencorp.com and othercorp.com corporations. Normally, for the nameservers of rallencorp.com to resolve queries for othercorp.com, the queries would have to first be forwarded to the root Internet nameservers. With conditional forwarding, you can configure the rallencorp.com DNS servers so that all requests for othercorp.com should be sent directly to the othercorp.com nameservers and all other unresolved queries should be sent to the Internet, and vice versa. The trade-off for this feature is the additional CPU processing that’s necessary to examine each query and forward it to the appropriate server, rather than just funneling all unresolved queries to a single external server.

Problem

You want to enable zone transfers to specific secondary nameservers.

Solution

Using a graphical user interface

1. Open the DNS snap-in.
2. In the left pane, expand the server node and expand either Forward Lookup Zone or Reverse Lookup Zone depending on the type of zone you want to manage.
3. Right-click on the zone and select Properties.
4. Select the Zone Transfers tab.
5. Select either the option to restrict zone transfers to those servers listed on the Name Servers tab or the option to restrict zone transfers to specific IP addresses. See the “Discussion” section for more on these two options.

Using a command-line interface

The following command enables zone transfers for the test.local zone and specifies they can only occur with servers that have NS records in the zone (i.e., servers listed within the Name Servers tab of the DNS snap-in):

> dnscmd <ServerName> /ZoneResetSecondaries test.local /SecureNs

The next command enables zone transfers for same zone, but specifies they can only occur with hosts whose IP addresses are 172.16.22.33 and 172.16.22.34:

> dnscmd <ServerName> /ZoneResetSecondaries test.local /SecureList 172.16.22.33

172.16.22.34

Using VBScript

‘ This code creates a nameserver (NS) record on a DNS server.

strDNSServer = “<servername>”

strContainer = “<containername>”

strOwner = “<ownername>”

intRecordClass = 1

intTTL = 600

strNSHost = “<nameservername>”

strComputer = “.”

set objWMIService = GetObject _

(“winmgmts:\\” & strComputer & “\root\MicrosoftDNS”)

set objItem = objWMIService.Get(“MicrosoftDNS_NSType”)

errResult = objItem.CreateInstanceFromPropertyData _

(strDNSServer, strContainer, strOwner, intRecordClass, intTTL, strNSHost)

‘ This code configures the allowed secondaries for zone transfer and notify

‘ XFR constants

const ZONE_SECSECURE_NO_SECURITY = 0

const ZONE_SECSECURE_NS_ONLY = 1

const ZONE_SECSECURE_LIST_ONLY = 2

const ZONE_SECSECURE_NO_XFR = 3

‘ NOTIFY constants

const ZONE_NOTIFY_OFF = 0

const ZONE_NOTIFY_ALL_SECONDARIES = 1

const ZONE_NOTIFY_LIST_ONLY = 2

‘ —— SCRIPT CONFIGURATION ——-

strZone = “<ZoneName>” ‘ e.g. rallencorp.com

strServer = “<ServerName>” ‘ e.g. dc1.rallencorp.com

‘ use one of the above XFR constants

intSecureSecondaries = ZONE_SECSECURE_LIST_ONLY

arrSecondaries = Array(“1.1.1.2″,”1.1.1.3”)

‘ use one of the above NOTIFY constants

intNotify = ZONE_NOTIFY_LIST_ONLY

arrNotify = Array(“<IP1>“,”<IP2>“)

‘ —— END CONFIGURATION ———

set objDNS = GetObject(“winMgmts:\\” & strServer & “\root\MicrosoftDNS”)

set objDNSServer = objDNS.Get(“MicrosoftDNS_Server.Name=””.”””)

set objDNSZone = objDNS.Get(“MicrosoftDNS_Zone.ContainerName=””” & _

strZone & “””,DnsServerName=””” & _

objDNSServer.Name & “””,Name=””” & strZone & “”””)

strNull = objDNSZone.ResetSecondaries(arrSecondaries,intSecureSecondaries, _

arrNotify,intNotify)

objDNSZone.Put_

WScript.Echo “Updated secondaries for zone transfer and notify”

Discussion

Depending on your environment, your DNS implementation may require that you create secondary zones to allow for load balancing for busy DNS servers or remote sites connected by slow links. In this situation, you want to allow zone transfers to occur between your AD-integrated DNS servers and your secondary servers, but you want to restrict which hosts can initiate zone transfers with your AD-integrated nameservers. Allowing anyone to initiate a zone transfer with your domain controllers could provide an attacker with information for mapping out your network; it is therefore critical that you limit which hosts can pull zone transfers from your servers.

If you are using only Active Directoryintegrated zones, the Name Servers tab will be automatically populated with a list of all nameservers that are authoritative for the selected zone, and this is the recommended choice when you have a large network with many nameservers deployed. If any of your nameservers are using standard zone files, however, you will need to populate this tab manually for any secondary nameservers you deploy.

Specifying a list of IP addresses for hosts that can initiate zone transfers may be more secure since it is more specific, but this approach has the trade-off of adding the additional management overhead of keeping track of the IP addresses of all nameservers on your network, so you should follow this approach only if your network is small and you have relatively few nameservers deployed. Another disadvantage of this approach is that if you forget to add some IP addresses of nameservers to your list, zone information stored on those servers could become stale, causing name resolution to fail for some of your clients. This could result in some of your users experiencing difficulties in accessing network resources.

Note that on Windows 2000 nameservers, the default setting is to allow zone transfers with any host that requests them. This setting is inherently insecure as it allows attackers to use nslookup to display all resource records on your servers, so be sure to use the steps outlined in this recipe to change the setting on your servers to one of the two settings described here. Windows Server 2003 DNS is more secure by default because in the case of file-based zones, it is configured to allow zone transfers only with servers listed on the Name Servers tab of a zone. In the case of Active Directoryintegrated zones, it is configured to disallow zone transfers entirely since they generally aren’t needed in an Active Directory environment.