Active Directory Cookbook for windows server 2003- P41 pdf

13.1.4 See Also Recipe 13.2 for creating a reverse lookup zone, MS KB 323445 HOW TO: Create a New Zone on a DNS Server in Windows Server 2003, MSDN: DNS WMI Provider, and MSDN: CreateZon

Trang 1

a dnsRecord attribute, which is multivalued and contains all of the resource records associated

with that node Unfortunately, the contents of that attribute are stored in a binary format and are

not directly readable

Table 13-1 and Table 13-2 contain some of the interesting attributes that are available on

dnsZone and dnsNode objects, respectively

Table 13-1 Attributes of dnsZone objects

Attribute Description

dnsProperty Binary formatted string that stores configuration information

about the zone

msDS-Approx-Immed-Subordinates

Approximate number of nodes contained within the zone This is new to Windows Server 2003

Table 13-2 Attributes of dnsNode objects

Attribute Description

dc Relative distinguished name of the node

dnsRecord Binary formatted multivalued attribute that stores the resource records

associated with the node

dnsTombstoned Boolean that indicates whether the node is marked for deletion FALSE means

it is not and TRUE means that it is

Recipe 13.1 Creating a Forward Lookup Zone

13.1.1 Problem

You want to create a forward lookup zone A forward lookup zone maps names to IP addresses

or other names

13.1.2 Solution

13.1.2.1 Using a graphical user interface

1 Open the DNS Management snap-in

Trang 2

4 Right-click on Forward Lookup Zones and select New Zone

5 Click Next

6 Select the zone type and click Next

7 If you selected to store the zone data in Active Directory, next you will be asked which servers you want to replicate the DNS data to Click Next after you make your selection (This only applies for Windows Server 2003)

8 Enter the zone name and click Next

9 Fill out the information for the remaining screens They will vary depending on if you are creating a primary, secondary, or stub zone

13.1.2.2 Using a command-line interface

The following command creates an AD-Integrated zone:

> dnscmd <DNSServerName> /zoneadd <ZoneName> /DsPrimary

13.1.2.3 Using VBScript

' This code creates an AD-Integrated forward zone

' - SCRIPT CONFIGURATION -

strServer = "<DNSServerName>" ' e.g dc1.rallencorp.com

strNewZone = "<ZoneName>" ' e.g othercorp.com

' - END CONFIGURATION -

set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS") set objDNSZone = objDNS.Get("MicrosoftDNS_Zone")

strNull = objDNSZone.CreateZone(strNewZone, 0 , True)

WScript.Echo "Created zone " & strNewZone

13.1.3 Discussion

When you create an AD-integrated zone with the /DsPrimary switch, you can additionally include a /dp switch and specify an application partition to add the zone to Here is an example:

> dnscmd /zoneadd <ZoneName> /DsPrimary /dp domaindnszones.rallencorp.com

The DNS WMI Provider is Microsoft's first comprehensive DNS API You can create and modify zones, query and manage resource records, and manipulate DNS server configuration In the VBScript solution, the CreateZone method of the MicrosoftDNS_Zone class was used to create the forward zone

Trang 3

13.1.4 See Also

Recipe 13.2 for creating a reverse lookup zone, MS KB 323445 (HOW TO: Create a New Zone

on a DNS Server in Windows Server 2003), MSDN: DNS WMI Provider, and MSDN:

CreateZone Method of the MicrosoftDNS_Zone Class

Recipe 13.2 Creating a Reverse Lookup Zone

13.2.1 Problem

You want to create a reverse lookup zone A reverse lookup zone maps IP addresses to names

13.2.2 Solution

2 If an entry for the DNS server you want to connect to does not exist, right-click on DNS

in the left pane and select Connect to DNS Server Select This computer or The following computer, enter the server you want to connect to (if applicable), and click OK

3 Expand the server in the left pane and click on Reverse Lookup Zones

4 Right-click on Reverse Lookup Zones and select New Zone

5 Click Next

6 Select the zone type and click Next

7 If you selected to store the zone data in Active Directory, next you will be asked which servers you want to replicate the DNS data to Click Next after you make your selection (This only applies for Windows Server 2003)

8 Type the Network ID for the reverse zone or enter a reverse zone name to use

9 Fill out the information for the remaining screens They will vary depending on if you are creating a primary, secondary, or stub zone

The following command creates an AD-integrated reverse zone:

> dnscmd <DNSServerName> /zoneadd <ZoneName> /DsPrimary

' This code creates an AD-integrated reverse zone

strNewZone = "<ZoneName>" ' e.g 8.10.192.in-addr.arpa

Trang 4

Creating a reverse zone is very similar to creating a forward zone See Recipe 13.1 for more information

13.2.4 See Also

MS KB 323445 (HOW TO: Create a New Zone on a DNS Server in Windows Server 2003) and MSDN: CreateZone Method of the MicrosoftDNS_Zone Class

Recipe 13.3 Viewing a Server's Zones

13.3.1 Problem

You want to view the zones on a server

13.3.2 Solution

2 Right-click on DNS in the left pane and select Connect to DNS Server

3 Enter the server you want to connect to and click Enter

4 In the left pane, expand the server and click Forward Lookup Zones and Reverse Lookup Zones to view the supported zones

> dnscmd <DNSServerName> /enumzones

' This code lists the zones that are supported by the specified server

set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS") set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")

set objZones = objDNS.ExecQuery("Select * from MicrosoftDNS_Zone " & _

"Where DnsServerName = '" & _

objDNSServer.Name & "'")

WScript.Echo "Zones on " & objDNSServer.Name

for each objZone in objZones

WScript.Echo " " & objZOne.Name

When you click on either the Forward Lookup Zones or Reverse Lookup Zones in the left pane, the right pane contains a Type column that displays the zone type for each zone

When using the /enumzones switch without any more parameters, it displays all zones on the server You can specify additional filters that limit the types of zones returned With the

Windows 2000 version of dnscmd, you can specify up to two filters:

Filter1:

/Primary

/Secondary

/Cache

/Auto-Created

Filter2:

/Forward

/Reverse

With the Windows Server 2003 version of dnscmd, the filter behavior has changed Instead of having two levels of criteria you can specify one or more of the following:

/Primary

/Secondary

/Forwarder

/Stub

/Cache

/Auto-Created

/Forward

/Reverse

/Ds

/File

/DomainDirectoryPartition

/ForestDirectoryPartition

/CustomDirectoryPartition

/LegacyDirectoryPartition

/DirectoryPartition <PartitionName>

A WQL query was used to find all MicrosoftDNS_Zone objects You can add additional criteria

to the WQL Select statement to return a subset of zones supported on the server

13.3.4 See Also

MSDN: MicrosoftDNS_Zone

Trang 6

Recipe 13.4 Converting a Zone to an AD-Integrated

Zone

13.4.1 Problem

You want to convert a primary zone to an AD-integrated zone This causes the contents of the zone to be stored and replicated in Active Directory instead of in a text file

13.4.2 Solution

2 Right-click on DNS in the left pane and select Connect to DNS Server

3 Enter the server you want to connect to and click Enter

4 If you want to convert a forward zone, expand the Forward Lookup Zone folder If you want to convert a reverse zone, expand the Reverse Lookup Zone folder

5 Click on the zone you want to convert, then right-click it and select Properties

6 Beside Type, click the Change button

7 Check the box beside Store the zone in Active Directory

8 Click OK twice

> dnscmd <ServerName> /zoneresettype <ZoneName> /DsPrimary

' This code converts a zone to AD-integrated

strZone = "<ZoneName>" ' e.g rallencorp.com

strServer = "<ServerName>" ' e.g dc1.rallencorp.com

set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")

set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")

set objDNSZone = objDNS.Get("MicrosoftDNS_Zone.ContainerName=""" & _

strZone & """,DnsServerName=""" & _

objDNSServer.Name & """,Name=""" & strZone & """") strNull = objDNSZone.ChangeZoneType(0, True)

objDNSZone.Put_

WScript.Echo "Converted " & strZone & " to AD-Integrated"

See Introduction in Chapter 13 and Recipe 13.5 for more on AD-integrated zones

Trang 7

13.4.4 See Also

MS KB 198437 (How to Convert DNS Primary Server to Active Directory Integrated), MS KB

227844 (Primary and Active Directory Integrated Zones Differences), and MSDN:

ChangeZoneType Method of the MicrosoftDNS_Zone Class

Recipe 13.5 Moving AD-Integrated Zones into an

Application Partition

This recipe requires the Windows Server 2003 domain functional level

13.5.1 Problem

You want to move AD-integrated zones into an application partition

13.5.2 Solution

3 Expand the server in the left pane and expand either Forward Lookup Zones or Reverse Lookup Zones depending on the type of zone

4 Click on the name of the zone

5 Right-click on the zone and select Properties

6 Click on the Change button beside Replication

7 Select the application partition you want to move the zone into

8 Click OK twice

The following command will move a zone to the default application partition that replicates across all domain controllers that are DNS servers in the domain:

> dnscmd <DNSServerName> /zonechangedirectorypartition <ZoneName> /domain

Trang 8

With Windows 2000 Active Directory, if you had AD-integrated zones, those zones were

replicated to every domain controller in the domain where they were stored In many cases, not every domain controller also serves as a DNS server, which results in increased and unnecessary traffic to replicate changes with the zone(s)

Windows Server 2003 provides an elegant solution to this issue by using application partitions Application partitions are user-defined partitions that can be configured to replicate with any domain controller in a forest This provides a lot more flexibility for how you store and replicate your AD-integrated zones You could, in fact, have a couple domain controllers from each domain act as DNS servers for all of your AD domains

13.5.4 See Also

Chapter 17 for more information on application partitions

Recipe 13.6 Delegating Control of a Zone

13.6.1 Problem

You want to delegate control of managing the resource records in a zone

13.6.2 Solution

3 Expand the server in the left pane and expand either Forward Lookup Zones or Reverse Lookup Zones depending on the type of zone

4 Click on the name of the zone

5 Right-click on the zone and select Properties

6 Click on the Security tab

7 Click the Add button

8 Use the Object Picker to locate the user or group to which you want to delegate control

9 Under Permissions, check the Full Control box

10 Click OK

The following command grants full control over managing the resource records in an

AD-Integrated zone:

Trang 9

> dsacls dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN> /G[RETURN]

<UserOrGroup>:GA;;

' This code grants full control for the specified user or group over

' an AD-Integrated zone

strZoneDN = "dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN>"

strUserOrGroup = "<UserOrGroup>" ' e.g joe@rallencorp.com or RALLENCORP\joe

set objZone = GetObject("LDAP://" & strZoneDN)

'############################

' Constants

'############################

' ADS_ACETYPE_ENUM

Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5

' ADS_FLAGTYPE_ENUM

Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1

' ADS_RIGHTS_ENUM

Const ADS_RIGHT_GENERIC_ALL = &h10000000

'############################

' Create ACL

'############################

set objSD = objZone.Get("ntSecurityDescriptor")

set objDACL = objSD.DiscretionaryAcl

' Full Control

set objACE1 = CreateObject("AccessControlEntry")

objACE1.Trustee = strUserOrGroup

objACE1.AccessMask = ADS_RIGHT_GENERIC_ALL

objACE1.AceFlags = 0

objACE1.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT

objACE1.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

objDACL.AddAce objACE1

'############################

' Set ACL

'############################

objSD.DiscretionaryAcl = objDACL

objZone.Put "ntSecurityDescriptor", objSD

objZone.SetInfo

WScript.Echo "Delegated control of " & strZoneDN & " to " & strUserOrGroup

Trang 10

permissions on the zone object in AD The solutions show examples for how to grant Full

Control to a user or group over a particular zone

13.6.4 See Also

MS KB 256643 (Unable to Prevent DNS Zone Administrator from Creating New Zones)

Recipe 13.7 Creating and Deleting Resource Records

13.7.1 Problem

You want to create and delete resource records

13.7.2 Solution

3 If you want to add or delete a record in a forward zone, expand the Forward Lookup Zone folder If you want to add or delete a record for a reverse zone, expand the Reverse

Lookup Zone folder

To create a resource record, do the following:

4 In the left pane, right-click the zone and select the option that corresponds to the record type you want to create—e.g., New Host (A)

5 Fill in all required fields

6 Click OK

To delete a resource record, do the following:

7 In the left pane, click on the zone the record is in

8 In the right pane, right-click on the record you want to delete and select Delete

9 Click Yes to confirm

To add a resource record, use the following command:

> dnscmd <DNSServerName> /recordadd <ZoneName> <NodeName> <RecordType>

<RRData>

The following command adds an A record in the rallencorp.com zone:

Định dạng
Số trang	10
Dung lượng	34,06 KB