Tuesday, 25 September 2012

Windows DNS Server 2008: Setup External Internet DNS Server


Hopefully if you’re in the tech field you know that DNS is one of the main pillars of the Internet and what makes having those delightful friendly domain names (like www.TrainSignalTraining.com and www.TrainSignal.com) possible instead of having to memorize a long list of boring IPs (69.16.232.158).
For those of you that might need a refresher, the DNS service is the addressing book of the networking world, allowing the translation of human friendly names to IP addresses at its base level. It also stores other types of records that helps in delivery of different types of information from one end of the Internet to the other.

Why Have An External DNS Server?

This is especially useful if you are running IIS and have a lot of sites and don’t want to use a 3rd party option for DNS. For example, at a client I worked with, they owned over 250 domain names and wanted to keep tight control over their DNS in case of server moves and other email considerations.
An external DNS server will also help limit the exposure of your network to security leaks in case the server is compromised. If you connect the Internet facing server to the rest of your DNS servers you will have your internal network AD information stored on there. Should this external facing server get hacked or compromised they would find quite a bit more information than just some publicly available resource records.
Once you have setup the external DNS servers you have your internal DNS servers with your private information forward requests to the external DNS server for clients needing name resolution to the outside world.

How to Install Windows DNS Server 2008

The first thing we will have to do is setup the DNS Role on the server that we want to use. Let’s walk through that first:
NOTE: This walkthrough is for EXTERNAL DNS servers and will not include information on integrating with Active Directory or installing other components other than what is needed.
1. Open Server Manager and click on Roles in the left pane and then click on Add Roles in the center pane.
External DNS - 1
2. Depending on whether you checked off to skip the Before You Begin page while installing another service, you will now see warning pages telling you to make sure you have strong security, static IP, and latest patches before adding roles to your server.
If you get this page, then just click Next.
External DNS - 2
3. Next is the Select Server Roles window, and we are going to go ahead and check DNS Server in the list of possible roles.
Now if you don’t have a Static IP Address assigned to your server you will get the warning:
External DNS - 3
Either choose to ignore the warning and continue to install or go back and set a Static IP for the server. Either way you come back to the Select Server Roles screen, you can now choose to click Next.
External DNS - 4
4. Next is the DNS Server information screen giving some links to understanding the DNS integration with AD and other information.
Of course since we are configuring an External DNS server we will click Next to continue.
External DNS - 5
5. Confirm the Installation Selections by reviewing the list and then clicking Install.
External DNS - 6
6. After a little while you should now see the Installation Results page, and hopefully see aInstallation Succeeded message across from DNS Server, and then click Close.
External DNS - 7
That’s it! You have now installed the DNS Role on a Windows Server 2008. Let’s go to some configuration tasks now.
Please note that when you install the DNS service the server will automatically open up port 53 TPC/UDP for DNS related traffic.

How to Configure Windows DNS Server 2008

Ok, before we start configuring your server there are a few basics we should cover.
Remember I said basics, because I am not going to go beyond what is needed for an External DNS server and confuse the issue, but there are other options beyond what I am going to review here.
  • Forward Lookup Zone – A DNS Zone that does lookups for the domain name to IP address. This is the most common form of zone that people will use.
  • Reverse Lookup Zone – This DNS Zone is the exact opposite of the Forward Lookup Zone and allows an IP to be assigned to a domain/hostname.
    Note: Most external Reverse Lookup Zones will not work unless you own your block of IPs. The ISP/WebHost service that you use will more than likely own the reverse IP records, and you will have to request them to make any changes you require.
If you have gone through my earlier IIS articles you know that I have used a test domain called logfiletest.com. Let’s go ahead and create a forward lookup zone for that domain.
1. Open DNS Manager
2. Since I am local to the server it will automatically have itself in the DNS Manager. Expand out the server then right click on Forward Lookup Zones, and then left click on New Zone.
External DNS - 8
3. Welcome to the New Zone Wizard, should be the next window you see. Go ahead and clickNext.
External DNS - 9
4. Next we are going to pick a zone type. Since this is going to be the primary DNS server for logfiletest.com choose Primary Zone, and then click Next.
External DNS - 10
5. Now we are going to enter the Zone Name, in this case it is logfiletest.com. After entering the name of your zone go ahead and click Next.
External DNS - 11
6. The next window is about the zone file.
Non-Active Directory zones are kept in a flat text file in %SystemRoot%\system32\dns on the server. You have the option of creating a new one or using one that was copied over from a different server. In our case we will use the default naming and create a new one, by clicking Next.
External DNS - 12
7. Dynamic Updates allow client computers to create and update their own resource records. For external servers this would be bad, so we will go with the Do not allow dynamic updates radio button and then click Next.
External DNS - 13
8. Completing the New Zone Wizard will be the next window and it has a review of the settings you specified during the wizard.
Go ahead and click on Finish to complete the setup of the Forward Lookup Zone for logfiletest.com.
External DNS - 14
9. At the completion you will now return back to the DNS Manager, and you can seelogfiletest.com is now listed under the Forward Lookup Zone folder.
External DNS - 15
Congratulations on your setup! Though the domain is setup it currently has no resource records in it to resolve! Let’s fix that and give this server a purpose.
There are different types of resource records, in this case we are going to create a Host (A) record, which maps a name to an IP address.

How to Create a Host (A) Record on Server 2008 DNS

The most basic and simple host record is going to be for a website, so let’s go ahead and map the www of the domain name to the IP that the website uses.
For our example, the IP of logfiletest.com is 192.168.11.5.
1. Open DNS Manager
2. Choose the Forward Lookup Zone you want to work with, in this case it is logfiletest.comand right click on it. Select New Host (A or AAAA) and left click on it.
Note: Don’t be confused by the AAAA, as that is used for IPv6 records.
External DNS - 16
3. The new host window will now popup allowing you to enter the name (if blank it will use the parents domain name), which we will type in www, and fill in the IP address we want logfiletest.com to resolve to, which is 192.168.11.5.
If we choose to we can associate a PTR record with this, which would create the reverse lookup. Not necessary in this case since we don’t control the IPs.
Click Add Host when done.
External DNS - 17
4. You will get a message that confirms the creation of the Host Record, so click OK.
5. Now in the DNS Manager you will see your A resource record for www mapped to the correct IP.
External DNS - 18
6. Now let’s do a quick test with NSLookup and you will see that the name resolves correctly.
External DNS - 19

Summary for Creating External DNS Server

So we have walked through the following:
  • Installing DNS Role on a Windows Server 2008
  • Created a Forward Lookup Zone
  • Created a Host (A) Resource Record
Again this is just the basics for getting you started in running your own External DNS Server.
In the future we will discuss the different types of resource records and how they are used, how to make use of features such as round robin DNS and setup redundancies to keep your sites resolving correctly.

Server 2008 Active Directory: Adding a Child Domain


Why Add a Child Domain?

There are several good reasons for splitting the new office into its own child domain, here are 3 of them:
  • Less Network Traffic between your main office and the new one – that means your company will spend less money on the direct connection between the two offices and you will never experience a network delay.
  • You will be able to delegate control of the new network to another administrator who actually lives in the location of the new office. If your offices are close and you are about 20 minutes away to any one of them, then I guess that’s no big deal. But if your main office is located in New York and the new office is going to be in … oh, let’s say Paris, how the heck are you going to get there in case of an emergency? See my point?
  • Having the child domain will allow you to keep track what is going on in a specific office.
These are only the main good reasons for creating a child domain. Once you start working in an environment with sub domains you will realize there are a lot more good reasons for splitting the two locations in your Active Directory.

Before you begin …

1. In order to create a child domain on your network, you will need another server, or rather a Domain Controller.
You can build that DC in your main office and then ship it out to the new office. This DC will also be a Global Catalog as well as DNS Server to assist all the clients in the new office with any DNS requests, etc.
2. You also need to prepare your current network for the new sub domain. So before you begin with the new DC configuration you need to do the following:
  • Create a new site in your Active Directory that will represent the physical structure of your network. In my example our main office is in New York and the new one is in Chicago. Based on that info, you would create a new site for the Chicago office.
  • In addition to the new site you will also need to create a new subnet for your new location. It will allow you to track all of your machines by location. This new subnet should be assigned to your new location.
Once you prepare your network as mentioned above, we are now ready to create a new Domain Controller.

Creating a New Domain Controller

Once you have prepared your network for you child domain and have created the site and sub domain, it’s time to install the new DC on our new site.
As you can see our main office is in New York and we have 3 DCs already configured in the New York Site (see the screenshot below).
Our new site called Chicago doesn’t have any DCs configured yet –- this is where we are going to configure our new DC.
Server 2008 Active Directory: Adding a Child Domain - 1
1. After you have installed Windows Server 2008 on your new machine and completed all the Initial Configuration Tasks, open up Server Manager and click on the Roles section.
Server 2008 Active Directory: Adding a Child Domain - 2
2. We will need to install the Active Directory Domain Services (ADDS) Role first. So go ahead and check the box next to it and click Next.
Server 2008 Active Directory: Adding a Child Domain - 3
3. In this window you will see some additional information about ADDS. Once ready, click on Next.
Server 2008 Active Directory: Adding a Child Domain - 4
4. As always you are being informed that once the installation is completed the server will restart and you will need to use the ADDS Installation Wizard to make the server a fully functional Domain Controller.
Go ahead and click on the Install button.
Server 2008 Active Directory: Adding a Child Domain - 5
5. The installation will now run for a few minutes.
Server 2008 Active Directory: Adding a Child Domain - 6
6. Now it’s time to click on the link and run dcpromo.exe.
Server 2008 Active Directory: Adding a Child Domain - 7
7. Go ahead and click Next on the welcome screen.
Server 2008 Active Directory: Adding a Child Domain - 8
8. And Next again (for more detailed information on this step you can check out this post onInstalling Active Directory Domain Services on Server 2008).
Server 2008 Active Directory: Adding a Child Domain - 9
9. Since this is going to be your child domain, make sure you select the Existing forest option and then select Create a new domain in an existing forest.
When ready, click on the Next button.
Server 2008 Active Directory: Adding a Child Domain - 10
10. Type in your domain name with the correct internet suffix. In my example I’m are using ourglobomantics.com domain.
Since this domain already exists and you are logged in to this machine only as a local administrator you will also need to enter alternate credentials of a domain administrator in order to proceed.
So go ahead and click on the Set button.
Server 2008 Active Directory: Adding a Child Domain - 11
11. Enter the domain administrator’s name and password, then hit OK.
Server 2008 Active Directory: Adding a Child Domain - 12
12. When ready, click on Next.
Server 2008 Active Directory: Adding a Child Domain - 13
13. In this step you will need to enter the Fully Qualified Domain Name (FQDN) of your child domain in two steps.
The first is the FQDN of your parent domain. In our example it is going to be globomantics.com.
Next you need to enter the single-label DNS name of your child domain — that means anything that is before the globomantics.com.
In my example I entered na for na.globomantics.com — as seen on the bottom.
That will be our FQDN for the new child domain. Once ready, click on the Next button.
Server 2008 Active Directory: Adding a Child Domain - 14
14. Now it’s time to select a site for this DC.
Now you see why we needed to create the new site before we started this installation. Select the correct site and click Next.
Server 2008 Active Directory: Adding a Child Domain - 15
15. As mentioned earlier we are going to make this DC be our DNS server as well as Global catalog for our new site.
Make sure both check-marks are checked and then click on the Next button.
Server 2008 Active Directory: Adding a Child Domain - 16
16. I would recommend leaving the default locations for these databases unless you have a really good reason not to. Click Next.
Server 2008 Active Directory: Adding a Child Domain - 17
17. In this windows you will need to setup the Directory Services Restore Mode Administrative Password for restore purposes.
Go ahead and type that in and then click on the Next button.
Server 2008 Active Directory: Adding a Child Domain - 18
18. On this summary window double check your selections and when ready click Next.
Server 2008 Active Directory: Adding a Child Domain - 19
19. You can check the box Reboot on completion and let the installation complete.
Server 2008 Active Directory: Adding a Child Domain - 20
Congratulations! Your Child Domain has been created!
Server 2008 Active Directory: Adding a Child Domain - 21

Installing Software Using GPOs on Windows Server 2008


Imagine for a minute that your boss came in one day, gave you a Foxit DVD and said that everyone in your organization needs to get that DPF software that’s on this DVD installed today.
You think, well that’s great but are you sure you want all 500 people to get the software today?
That’s almost impossible, isn’t it? There isn’t enough time for you to walk around with the DVD and install it 500 times.
Sure there is! But you won’t be walking around with the DVD in your hand, that’s for sure.
The solution I’m going to show you today is quite simple, and much less time consuming
You are going to copy that software on a Shared Folder on your network. Then, you’re going to create a Group Policy Object, aka GPO, (aren’t you happy you installed Active Directory?) that will take that software and install it on everyone’s machines.
Easy, huh? Of course it is and it is not going to take you days, I promise.

What You Need Before Installing Software Using GPOs

There are 3 things you will need in order to have a successful Software Installation GPO:
1. The most important thing you will need is a Microsoft installer file, called .msi — you cannot use the .exe file that is on the DVD.
You will need to get a packaging utility to turn that .exe file into .msi file. Many of them are available for instant download from internet.
There are a few that will cost money but there are also free downloads. Here is an example from each:
2. The second thing you will need to create is a Shared Folder on your network for the software to live in. You need to make sure that every computer has at least "read" access to that folder and its contents.
3. And the last thing you will need is the new Group Policy Objectlinked to the appropriate Organization Unit.

How to Install Software Using GPOs

Assuming that you already have the .msi file ready, let’s start with creating a shared folder on our network.
1. Browse to the location on your network, right-click and select New, then Folder.
Installing Software Using GPOs on Windows Server 2008 - 1
2. Name the folder — in this example we are going to call it "Software".
3. Select that folder and then click on the Share button on the menu toolbar.
Installing Software Using GPOs on Windows Server 2008 - 2
4. Like I mentioned above, every machine needs to have at least read access to this folder. To do this type in Everyone and hit enter, or click on the Add button.
Installing Software Using GPOs on Windows Server 2008 - 3
5. Make sure the Permission Level says Reader and then click the Share button.
Installing Software Using GPOs on Windows Server 2008 - 4
6. Remember or write down the location of this shared folder. In our example the location is \\NY-MEM1-2K8\Software
Installing Software Using GPOs on Windows Server 2008 - 5
7. Double click on the Shared Folder you just created and once again perform the steps to create a new folder.
This time name the folder with a name specific to the software you are about to install. We are going to call it "Foxit".
Installing Software Using GPOs on Windows Server 2008 - 6
8. Double click on the new folder ("Foxit") and copy and paste the .msi file for the software you want to install. Our .msi is called FoxitReader23.
Installing Software Using GPOs on Windows Server 2008 - 7
9. Now it is time to switch to your domain controller.
We are going to switch to our DC1 server. Once there, go ahead and open up Server Manager.
Installing Software Using GPOs on Windows Server 2008 - 8
10. Now you need to point to the Organizational Unit where the new Group Policy Object will reside.
To start off, go ahead and expand Features, then Group Policy Management, and then yourForest. In our example it is the Globomantics.com forest.
11. Then expand Domains and then the domain in which you want to create the GPO.
12. Once you are in the correct domain, expand the Organizational Unit. In our example, we are expanding NewYorkOU.
13. Since we want the software to be installed on every single computer, we are going to create the Group Policy Object in our NYComputers Organization Unit.
Go ahead and click on that OU.
Installing Software Using GPOs on Windows Server 2008 - 9
14. To create a new GPO, right-click on the appropriate Organization Unit and select Create a GPO in this domain, and Link it here…
Installing Software Using GPOs on Windows Server 2008 - 10
15. Name your new GPO and hit OK.
Installing Software Using GPOs on Windows Server 2008 - 11
16. To make sure the new GPO was created, go ahead and expand the Group Policy Objects.
You should see your GPO listed there. That GPO is now being linked to our NYComputers OU.
Installing Software Using GPOs on Windows Server 2008 - 12
17. Select and then right click on the GPO under the Organization Unit. Then select Edit.
Installing Software Using GPOs on Windows Server 2008 - 13
18. That should open a Group Policy Management Editor.
19. Go ahead and expand Computer Configuration, then Policies, and then Software Settings.
20. Next click on and select Software Installation.
Installing Software Using GPOs on Windows Server 2008 - 14
21. Right click on the right side of the Software Installation, select New and then click onPackage.
Installing Software Using GPOs on Windows Server 2008 - 15
22. Browse to the location where your software .msi file exists.
In our example it is NY-MEM1-2K8 → Software → Foxit. Once you have located it, double click on the file or select it and then click on the Open button.
Installing Software Using GPOs on Windows Server 2008 - 16
23. Select Assigned and click OK.
Installing Software Using GPOs on Windows Server 2008 - 17

Testing

Before you actually go and test this on one of your client machines, do not forget to run a GPO Update. To do so, open up you command prompt on your Domain Controller and type ingpupdate /force.
Installing Software Using GPOs on Windows Server 2008 - 18
Installing Software Using GPOs on Windows Server 2008 - 19
Once the update ran through you can go to one of your clients and restart the machine. Keep in mind that in order for the software to be installed on a computer, you will need to do a hard reboot.
Now go ahead and relax for the rest of your day.