- Turn the tables on your organization with Adaxes 2018.1’s Web Interface and reporting capabilities - Thu, Sep 20 2018
- Review: Softerra Adaxes – Automating Active Directory management - Thu, Jun 4 2015
- Azure Multi-Factor Authentication – Part 8: Delegating Administration - Tue, Apr 28 2015
Although most DNS Servers run on Domain Controllers with Active Directory-integrated DNS zones, I’ll show you some other implementation scenarios where Server Core DNS Servers might save your day!
The DNS Server Server Role has been included in Server Core since Windows Server 2008. The DNS Server in Server Core installations of Windows Server 2008 R2 was the first Server Core DNS Server implementation that supports DNSSEC.
Configuring Server Core as a DNS Server
Installing the DNS Server Server Role on Domain Controllers is as easy as selecting the option to install DNS in the Active Directory Domain Services Configuration Wizard, typing InstallDNS = Yes in a DCPromo unattend answer file, and accepting the defaults when you promote a new Domain Controller for a new domain with dcpromo.exe, Add-Domain, or Add-Forest.
Besides serving DNS name resolution from Server Core Domain Controllers, the following two scenarios, however, also seem plausible for Server Core DNS Servers.
Configuring a DNS Server in the DMZ
Server Core installations are less vulnerable to attacks, so placing them in your perimeter network or Demilitarized Zone (DMZ) to provide DNS sounds like a better idea than placing Server with a GUI installations there. With Server Core DNS Servers, you can still manage the DNS Servers with the command line and graphical tools you’re used to, but you gain some of the security, availability, and modularity benefits you’d normally only be able to gain with Linux- or UNIX-based DNS Servers.
To configure a Server Core installation as a DNS Server in the DMZ, start by giving it a network connection in the network segment of the DMZ. Next, provide it with a meaningful hostname and IP addresses in the DMZ network segment. You can perform all these configuration steps through sconfig.cmd, netsh.exe, netdom.exe, and/or Rename-Computer and New-NetIPAddress.
The next step is to install the DNS Server Server Role. To do so, perform a Server Core installation and provide it with a meaningful hostname and appropriate IP addresses. Next, install the DNS Server Server Role on the Server Core installation. Since we used the PowerShell command the last time, this time we’ll use the almost deprecated command line alternative:
Dism.exe /online /enable-feature /featurename:DNS-Server-Full-Role /featurename:DNS-Server-Tools
Now, depending on your preferences, you can configure the DNS Server with either dnscmd.exe or one or more of the 99 DNS Server-related PowerShell cmdlets.
For instance, to add a Primary DNS Forward Lookup Zone and Primary DNS Reverse Lookup Zone for dmz.servercore.net on the 85.17.209.0/24 network, use the following two dnscmd.exe commands:
dnscmd.exe localhost /ZoneAdd DMZ.ServerCore.Net /Primary /file dmz.servercore.net.dns
dnscmd.exe localhost /ZoneAdd 0.209.17.85.in-addr.arpa /Primary /file 209.17.85.in-addr.arpa.dns
To configure the same settings with PowerShell, the following two commands can be used:
Add-DnsServerPrimaryZone -Name "DMZ.ServerCore.Net" -ZoneFile "dmz.servercore.net.dns"
Add-DnsServerPrimaryZone -NetworkID 85.17.209.0/24 -ZoneFile "209.17.85.in-addr.arpa.dns"
Since a DNS Server in a DMZ used by hosts in the same network would rarely be used without DNS Forwarders, the following command will add the public Google DNS Servers as forwarders:
dnscmd.exe localhost /ResetForwarders 8.8.8.8 8.8.4.4
In PowerShell, the following two commands configure the same settings:
Add-DnsServerForwarder -IPAddress 8.8.8.8 -PassThru
Add-DnsServerForwarder -IPAddress 8.8.4.4 –PassThru
That’s it! Your Server Core DNS Server is up and running. To add an A record and an associated PTR record to the Forward and Reverse DNS zones on the server (for instance, for mail.dmz.servercore.net with IP address 209.17.85.74), you can use the following commands:
Add-DnsServerResourceRecordA -Name "mail" -ZoneName "dmz.servercore.net"
Add-DnsServerResourceRecord -Name "74" -Ptr -ZoneName "209.17.85.in-addr.arpa.dns"
-PtrDomainName "mail.dmz.servercore.net"
Configuring secondary DNS zones
In traditionally highly secure environments, the Domain Name System services would be hosted on Linux- or UNIX-based hosts with BIND DNS Server software. For ease of management, conformity, or migration purposes, you could opt to configure a Server Core installation to host secondary DNS zones to the BIND primary DNS zones. In this example, we’ll migrate a BIND-based DNS Server environment to Windows Server 2012-based Server Core DNS Servers.
You can use the following short PowerShell command to do that:
Install-WindowsFeature DNS -IncludeManagementTools
The next step is to add secondary zones for all the DNS zones hosted on the BIND-based DNS servers. Depending on the number of DNS domain zones these servers are hosting, you will need a couple of PowerShell lines. With the BIND host running on 85.17.209.1, the lines would look like these:
Add-DnsServerSecondaryZone -Name "servercore.net" -ZoneFile "servercore.net.dns" -MasterServers 85.17.209.1
Add-DnsServerSecondaryZone -Name "dirteam.com" -ZoneFile "dirteam.com.dns" -MasterServers 85.17.209.1
Add-DnsServerSecondaryZone -Name "berkouwer.org" -ZoneFile "berkouwer.org.dns" -MasterServers 85.17.209.1
Now, sync the DNS zones, with commands like these:
Sync-DNSServerZone -Name "servercore.net" -PassThru -Verbose Sync-DNSServerZone -Name "dirteam.com" -PassThru –Verbose Sync-DNSServerZone -Name "berkouwer.org" -PassThru –Verbose
After completing the zone transfers, convert any of the secondary zones to primary zones:
ConvertTo-DNSServerPrimaryZone -Name "servercore.net" -PassThru -Verbose -ZoneFile "servercore.net.dns" ConvertTo-DNSServerPrimaryZone -Name "dirteam.com" -PassThru -Verbose -ZoneFile "dirteam.com.dns" ConvertTo-DNSServerPrimaryZone -Name "berkouwer.org" -PassThru -Verbose -ZoneFile "berkouwer.org.dns"
On the BIND Servers, of course, configure the previously primary DNS servers to be secondary DNS servers for the migrated zones or demote them. Also, when other secondary DNS Zones existed on other DNS Servers, update their configuration to point to the new Server Core DNS Server to use as their master servers.
Managing the DNS Server Role remotely
Besides using dnscmd.exe and the 99 DNS Server-related PowerShell cmdlets, both of which are available on the command line of your Server Core DNS Server, you can also manage the DNS Server Server Role remotely.
On a Windows Server 2012 Server with a GUI, you can add the DNS Server Tools.
Start the Power User Start Menu with Win+X. Select Programs and Features from the menu. In the Programs and Features screen, click Turn Windows features on or off in the left action pane. In the Add Roles and Features Wizard, click Next in the Before you begin screen. Select Role-based or feature-based installation in the Select installation type screen and click Next. On the next screen, select the server where you want to install the DNS Server Tools from the list and click Next. Click Next in the Select server roles screen. In the list of available features, select the DNS Server Tools:
DNS Server Tools
Click Next. On the next screen, click Install.
On Windows 8 installations, you need to install the Remote Server Administration Tools (RSAT). After you download and install RSAT, all the Tools will be installed by default. The DNS Server Tool is accessible through the Administrative Tools shortcut to the far right in the Start Screen.
Concluding
Server Core DNS Servers have become a viable alternative to UNIX- and Linux-based BIND DNS Servers because of their smaller attack surface, higher availability, better performance, and increased modularity, when compared to Server with a GUI installations.
Thanks for the great article. I am tasked with migrating from our Unix Bind based DNS to 2012 core servers in the DMZ so this answers most of my questions.
My initial plan was to create a new Active Directory domain and configure these new servers as DCs before setting them up with the DNS Server role. This AD domain would not be connected to our internal domain. Not sure if this is creating more work and more security issues (than if these were standalone DNS servers) or if this will actually make the management easier and allow for more flexibility in our DMZ for future uses.
What are your thoughts on the Pros and Cons?
Hi Helen,
That sounds like a challenging and fun project!
Making the DNS Servers in your DMZ Active Directory-integrated allows them to use DFSR to replicate changes between them. This is far more efficient than the zone transfer mechanisms you’d only have when you wouldn’t place DNS on DCs.
Also, by default, security settings on Windows Servers that are Domain Controllers are more strict than security settings on standalone and memberservers. Look at the Security Guide for your respective Windows Server version for tips on hardening.
When you intend to implement the DNS Security Extensions (DNSSEC), than making the DNS Servers DCs makes more sense, because you would be able to automatically deploy and renew certificates from a (domain-joined) Windows Server-based Certification Authority (CA).
Sander, I am really impressed with you blog. If I’ve to remotely manage DNS Core server then do I need to open Port number 53 on Firewall or any different port needs to be opened.