Latest posts by Sander Berkouwer (see all)
- Review: Softerra Adaxes - Automating Active Directory management - Thu, Jun 4 2015
- Azure Multi-Factor Authentication - Part 8: Delegating Administration - Tue, Apr 28 2015
- Azure Multi-Factor Authentication - Part 7: Securing AD FS - Thu, Apr 23 2015
Although most DNS Servers run on Domain Controllers with Active Directory-integrated DNS zones, I’ll show you some other implementation scenarios where Server Core DNS Servers might save your day!
The DNS Server Server Role has been included in Server Core since Windows Server 2008. The DNS Server in Server Core installations of Windows Server 2008 R2 was the first Server Core DNS Server implementation that supports DNSSEC.
Configuring Server Core as a DNS Server ^
Installing the DNS Server Server Role on Domain Controllers is as easy as selecting the option to install DNS in the Active Directory Domain Services Configuration Wizard, typing InstallDNS = Yes in a DCPromo unattend answer file, and accepting the defaults when you promote a new Domain Controller for a new domain with dcpromo.exe, Add-Domain, or Add-Forest.
Besides serving DNS name resolution from Server Core Domain Controllers, the following two scenarios, however, also seem plausible for Server Core DNS Servers.
Configuring a DNS Server in the DMZ
Server Core installations are less vulnerable to attacks, so placing them in your perimeter network or Demilitarized Zone (DMZ) to provide DNS sounds like a better idea than placing Server with a GUI installations there. With Server Core DNS Servers, you can still manage the DNS Servers with the command line and graphical tools you’re used to, but you gain some of the security, availability, and modularity benefits you’d normally only be able to gain with Linux- or UNIX-based DNS Servers.
To configure a Server Core installation as a DNS Server in the DMZ, start by giving it a network connection in the network segment of the DMZ. Next, provide it with a meaningful hostname and IP addresses in the DMZ network segment. You can perform all these configuration steps through sconfig.cmd, netsh.exe, netdom.exe, and/or Rename-Computer and New-NetIPAddress.
The next step is to install the DNS Server Server Role. To do so, perform a Server Core installation and provide it with a meaningful hostname and appropriate IP addresses. Next, install the DNS Server Server Role on the Server Core installation. Since we used the PowerShell command the last time, this time we’ll use the almost deprecated command line alternative:
Dism.exe /online /enable-feature /featurename:DNS-Server-Full-Role /featurename:DNS-Server-Tools
Now, depending on your preferences, you can configure the DNS Server with either dnscmd.exe or one or more of the 99 DNS Server-related PowerShell cmdlets.
For instance, to add a Primary DNS Forward Lookup Zone and Primary DNS Reverse Lookup Zone for dmz.servercore.net on the 184.108.40.206/24 network, use the following two dnscmd.exe commands:
dnscmd.exe localhost /ZoneAdd DMZ.ServerCore.Net /Primary /file dmz.servercore.net.dns
dnscmd.exe localhost /ZoneAdd 0.209.17.85.in-addr.arpa /Primary /file 209.17.85.in-addr.arpa.dns
To configure the same settings with PowerShell, the following two commands can be used:
Add-DnsServerPrimaryZone -Name "DMZ.ServerCore.Net" -ZoneFile "dmz.servercore.net.dns"
Add-DnsServerPrimaryZone -NetworkID 220.127.116.11/24 -ZoneFile "209.17.85.in-addr.arpa.dns"
Since a DNS Server in a DMZ used by hosts in the same network would rarely be used without DNS Forwarders, the following command will add the public Google DNS Servers as forwarders:
dnscmd.exe localhost /ResetForwarders 18.104.22.168 22.214.171.124
In PowerShell, the following two commands configure the same settings:
Add-DnsServerForwarder -IPAddress 126.96.36.199 -PassThru
Add-DnsServerForwarder -IPAddress 188.8.131.52 –PassThru
That’s it! Your Server Core DNS Server is up and running. To add an A record and an associated PTR record to the Forward and Reverse DNS zones on the server (for instance, for mail.dmz.servercore.net with IP address 184.108.40.206), you can use the following commands:
Add-DnsServerResourceRecordA -Name "mail" -ZoneName "dmz.servercore.net"
Add-DnsServerResourceRecord -Name "74" -Ptr -ZoneName "209.17.85.in-addr.arpa.dns"
Configuring secondary DNS zones ^
In traditionally highly secure environments, the Domain Name System services would be hosted on Linux- or UNIX-based hosts with BIND DNS Server software. For ease of management, conformity, or migration purposes, you could opt to configure a Server Core installation to host secondary DNS zones to the BIND primary DNS zones. In this example, we’ll migrate a BIND-based DNS Server environment to Windows Server 2012-based Server Core DNS Servers.
You can use the following short PowerShell command to do that:
Install-WindowsFeature DNS -IncludeManagementTools
The next step is to add secondary zones for all the DNS zones hosted on the BIND-based DNS servers. Depending on the number of DNS domain zones these servers are hosting, you will need a couple of PowerShell lines. With the BIND host running on 220.127.116.11, the lines would look like these:
Add-DnsServerSecondaryZone -Name "servercore.net" -ZoneFile "servercore.net.dns" -MasterServers 18.104.22.168
Add-DnsServerSecondaryZone -Name "dirteam.com" -ZoneFile "dirteam.com.dns" -MasterServers 22.214.171.124
Add-DnsServerSecondaryZone -Name "berkouwer.org" -ZoneFile "berkouwer.org.dns" -MasterServers 126.96.36.199
Now, sync the DNS zones, with commands like these:
Sync-DNSServerZone -Name "servercore.net" -PassThru -Verbose
Sync-DNSServerZone -Name "dirteam.com" -PassThru –Verbose
Sync-DNSServerZone -Name "berkouwer.org" -PassThru –Verbose
After completing the zone transfers, convert any of the secondary zones to primary zones:
ConvertTo-DNSServerPrimaryZone -Name "servercore.net" -PassThru -Verbose -ZoneFile "servercore.net.dns"
ConvertTo-DNSServerPrimaryZone -Name "dirteam.com" -PassThru -Verbose -ZoneFile "dirteam.com.dns"
ConvertTo-DNSServerPrimaryZone -Name "berkouwer.org" -PassThru -Verbose -ZoneFile "berkouwer.org.dns"
On the BIND Servers, of course, configure the previously primary DNS servers to be secondary DNS servers for the migrated zones or demote them. Also, when other secondary DNS Zones existed on other DNS Servers, update their configuration to point to the new Server Core DNS Server to use as their master servers.
Managing the DNS Server Role remotely ^
Besides using dnscmd.exe and the 99 DNS Server-related PowerShell cmdlets, both of which are available on the command line of your Server Core DNS Server, you can also manage the DNS Server Server Role remotely.
On a Windows Server 2012 Server with a GUI, you can add the DNS Server Tools.
Start the Power User Start Menu with Win+X. Select Programs and Features from the menu. In the Programs and Features screen, click Turn Windows features on or off in the left action pane. In the Add Roles and Features Wizard, click Next in the Before you begin screen. Select Role-based or feature-based installation in the Select installation type screen and click Next. On the next screen, select the server where you want to install the DNS Server Tools from the list and click Next. Click Next in the Select server roles screen. In the list of available features, select the DNS Server Tools:
DNS Server Tools
Click Next. On the next screen, click Install.
On Windows 8 installations, you need to install the Remote Server Administration Tools (RSAT). After you download and install RSAT, all the Tools will be installed by default. The DNS Server Tool is accessible through the Administrative Tools shortcut to the far right in the Start Screen.
Server Core DNS Servers have become a viable alternative to UNIX- and Linux-based BIND DNS Servers because of their smaller attack surface, higher availability, better performance, and increased modularity, when compared to Server with a GUI installations.