This is part 4 of 5 in the series Server 2016 Essentials setup guide

Our Server 2016 Essentials box is installed and has a static IPv4 and IPv6 address… now it needs to be able to talk to the internet and provide name resolution for our local domain — it’s time to setup DNS.  Say what you will, Windows DNS is pretty simple to set up and just works with everything you throw at it.  In this guide, we’ll set up both forward and reverse DNS zones for both our IPv4 and IPv6 networks and set up DNS forwarding.  Let’s get started…

The Windows DNS server is automatically installed and set up by the Windows Server Setup (WSS) Wizard on Windows Server Essentials 2016 so we don’t have to worry about that.  If you’re using Standard or Datacenter editions of Server 2016, you’ll have to manually install the DNS component in the Server Manager.  In this guide, we’ll start by setting up Reverse DNS Zones for IPv4 and then IPv6.  Then, we’ll set our Windows DNS server to forward requests upstream and test everything out.  Note:  I’m setting this system up as a forwarding DNS server.  It’s possible to have Windows DNS use root-hints and do all its own lookups but, that’s not the point of this guide.  Instead, this server will be authoritative for the local domain and provide all needed name resolution but will hand off lookups of other domains to some upstream server that you designate.  This is consistent with the setup most small businesses and labs use since there’s probably an upstream firewall/gateway appliance that already does DNS lookups or you’re using external DNS providers such as your ISP (bad idea), OpenDNS or Google DNS, etc.

Reverse DNS Zones

Reverse DNS maps IP addresses to hostnames (i.e. the reverse of forward-mapping).  This is mostly just useful for e-mail servers since it provides a check of whether a particular server really does come from where it says it does.  So, since this series does not cover email servers, this step wouldn’t normally be included.  However, it’s pretty simple to setup on Windows DNS server and opens up more options for you to use your new server, so it makes sense to just get it out of the way while we’re setting things up anyways.  Note:  You can skip reverse zone setup completely and have a fully functioning DNS server, so it’s up to you, I won’t be angry at you!

To get started, open up your DNS server MMC snap-in by going to the Start Menu and typing ‘dns’.  Choose the second result — the one that says “Desktop app”. (SCREENSHOT)  You’ll notice upon opening it and expanding your servername, the forward zone is already created but the reverse zones are empty.

IPv4 reverse DNS zone

  1. Right-click on your servername and choose “New Zone”.  (SCREENSHOT)
  2. Click “Next” to skip the welcome screen of the New Zone Wizard.
  3. Choose “Primary Zone” and ensure that “Store the zone in Active Directory” is checked. Click “Next”.  (SCREENSHOT)
  4. Select the SECOND radio button, “To all DNS servers running on domain controllers in this domain: internal.domain.tld” where internal.domain.tld is the domain name for your network as we set in Part II when we installed WSE2016.  Click “Next”.  (SCREENSHOT)
  5. Choose “Reverse Lookup Zone” since that’s what we’re doing… click “Next”.  (SCREENSHOT)
  6. Select “IPv4 Reverse Lookup Zone” and click “Next”.  (SCREENSHOT)
  7. Enter your Network ID, which is the fixed portion of your IPv4 Network Address, in the top box.  Your in-addr.arpa zone entry will be automatically generated and displayed in the lower box.  Click “Next” when you’re done.  (SCREENSHOT)

    Reverse subnetting is way beyond the scope of this guide but you likely do not really need to fully understand it anyways to get a functioning setup.  Basically, you need to let the DNS server know what portion of your IP address stays the same (i.e. what your subnet mask defines) and what portion will need to be looked up to find corresponding hostnames.  In my case, my Network is 10.1.1.0/24.  The /24 means a subnet mask of 255.255.255.0.  This states that the first 3 octets stay the same (10.1.1) and that the last octet can be anything from 0-255.  So my Network ID (the unchanging part) is simply 10.1.1.  To form a reverse zone, you reverse the whole thing and add a special address to the end so it becomes 1.1.10.in-addr.arpa.  Here are a few examples for the most common netmasks I run into:

    CIDR IP Range
    Subnet mask
    Meaning
    Network ID
    192.168.0.0/24
    255.255.255.0
    3 octets fixed
    192.168.0
    192.168.0.0/16
    255.255.0.0
    2 octets fixed
    192.168
    192.168.0.0/22
    255.255.252.0
    2 octets fixed
    4 bits unset in 3rd octet
    (252,253,254,255)
    4 IDs defined:
    192.168.0
    192.168.1
    192.168.2
    192.168.3

  8. Select “Allow only secure dynamic updates…” and click “Next”.  This will allow DHCP to dynamically update records once we get that set up in the next part.  Also, it will only allow authenticated machines/users with the correct permissions to update DNS records so we can mitigate DNS attacks such as cache poisoning, etc.  (SCREENSHOT)
  9. Confirm your settings and press “Finish” to complete the wizard.
    • Remember that if you have a complex mask such as /22 (255.255.252.0) then you’ll have to repeat this wizard to add all your reverse zones!

IPv6 Reverse Zones

  1. Right-click on your servername and choose “New Zone”.  (SCREENSHOT)
  2. Click “Next” to skip the welcome screen of the New Zone Wizard.
  3. Choose “Primary Zone” and ensure that “Store the zone in Active Directory” is checked. Click “Next”.  (SCREENSHOT)
  4. Select the SECOND radio button, “To all DNS servers running on domain controllers in this domain: internal.domain.tld” where internal.domain.tld is the domain name for your network as we set in Part II when we installed WSE2016.  Click “Next”.  (SCREENSHOT)
  5. Choose “Reverse Lookup Zone” since that’s what we’re doing… click “Next”.  (SCREENSHOT)
  6. Select “IPv6 Reverse Lookup Zone” and click “Next”.  (SCREENSHOT)
  7. Thankfully, this wizard will take care of making any required multiple reverse zones depending on the netmask.  However, we’ll only need one because we’re using a /64 netmask, right?  You remember that whole discussion from Part III, right???  In my setup I’m using fdf1:a725:4eeb:9a14::/64.  Make sure you enter your CID and then end it with “::/64”.  This way, Windows will create one big reverse lookup zone.  (SCREENSHOT)
  8. Select “Allow only secure dynamic updates…” and click “Next”.  This will allow DHCP to dynamically update records once we get that set up in the next part.  Also, it will only allow authenticated machines/users with the correct permissions to update DNS records so we can mitigate DNS attacks such as cache poisoning, etc.  (SCREENSHOT)
  9. Confirm your settings and press “Finish” to complete the wizard.

Update Server Reverse Zone Entries

When WSS installed the DNS server, it created forward zone entries for the server.  However, no reverse zones existed so we need to ensure that those zones contain corresponding entries for the server.  This process is handled, ironically, in the FORWARD Lookup Zone.

  1. Expand your <servername> | Forward Lookup Zones | <domain.tld>
  2. Find the A record for your server hostname, double-click to open it and check the box that reads “Update associated pointer (PTR) record”.  Click OK.  (SCREENSHOT)
  3. Find the AAAA record for your server hostname corresponding to the static IP address YOU assigned, not the one Windows assigned (in my case, fdf1:a725:4eeb:9a14::ffff), double-click to open it and check the box that reads “Update the associated pointer (PTR) record”.  If it’s already checked, uncheck and re-check it.  Click OK.  (SCREENSHOT)
  4. Now, wait a minute or two…
  5. Expand <servername> | Reverse Lookup Zones | <IPv4 zone>.  Right-click in the right side of the window, choose “Refresh”.  You should see the reverse DNS entry for your server.  (SCREENSHOT)
  6. Expand <servername> | Reverse Lookup Zones | <IPv6 zone>.  Right-click in the right side of the window, choose “Refresh”.  You should see at least one reverse DNS entry for your server.  (SCREENSHOT)

Update DNS server properties

Now that we’ve got everything set up, it’s time to tweak a few of the settings Windows makes during the installation of the DNS server component.

  1. Right-click on your servername and choose “Properties”
  2. The interfaces tab:  The listening setting of “All IP addresses” is likely correct for 99% of all cases.  If you need to prevent the server from listening on a certain IP address, go ahead and edit that now.  Possible cases where you may need to edit this include proxy addresses and multi-homed interfaces (see my post on ‘One Server, Multiple IP addresses‘ for details).  (SCREENSHOT)
  3. Forwarders tab:  The listed servers are probably wrong…  Click the “Edit button”.  (SCREENSHOT)
    1. Highlight the first entry in the list and click the “Delete” button as many times as necessary to clear the list.
    2. Enter the FQDN or IP address of your upstream DNS server.
    3. Windows should auto-resolve any servername/confirm an IP address and then display a green checkmark.
      • If you enter a servername, Windows will try to resolve both an IPv4 and IPv6 address.  Delete any that you don’t need/don’t exist.
    4. Here’s my setup for reference.
  4. Advanced tab:  Check the “Enable automatic scavenging of stale records” checkbox and accept the default scavenging period of 7 days.  (SCREENSHOT)
  5. Press the “Apply” button and go to the “Monitoring” tab.
    1. Check both test checkboxes (Simple and Recursive query tests)
    2. Press the “Test Now” button
    3. The test results should show “Pass” for both tests.  (SCREENSHOT)
  6. Click OK to close the dialog box

That’s it for DNS!  You should see that Windows now realizes it has internet access since the DNS server is forwarding to an upstream server and name resolution is working properly.  However, you should probably do one more thing before you call it day with this task…

Windows updates…

Since you have DNS setup and Windows now has name resolution, you know it’s just dying to update itself, right?  Now would be a really good time to get all those pending updates out of the way before we continue setting stuff up.  If you need help getting those updates, here’s a quick rundown:

  1. Open your Start Menu.
  2. Click on the Settings cogwheel on the left
  3. Select “Update & security”
  4. Go ahead and check for updates…
  5. While Windows does that, you might want to “Change active hours”
  6. You should also click on the “Advanced options” and check the box that says “Give me updates for other Microsoft products when I update Windows” so you’ll get updates for Visual C++, SQL, etc.

 

Ok, well that’s it for this part of the guide.  I hope you’re enjoying this so far and it’s helping you get your Windows Server Essentials box set up properly!  Join me in the next part where we’ll setup DHCP and set up scopes for both IPv4 and IPv6 networks.

Thanks for reading my techie-thoughts on this issue. Have any comments? Suggestions? Want to add your tips? Things you want me to cover in a future article? Comment below!
read more in this series<< Server 2016 Essentials setup guide: Setup Static IPs and the NIC (Part III)Server 2016 Essentials setup guide: Setup DHCP and DHCPv6 server (Part V) >>

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close Menu