411
a dnsRecord attribute, which is multivalued and contains all of the resource records associated
with that node. Unfortunately, the contents of that attribute are stored in a binary format and are
not directly readable.
Table 13-1 and Table 13-2 contain some of the interesting attributes that are available on
dnsZone and dnsNode objects, respectively.
Table 13-1. Attributes of dnsZone objects
Attribute Description
dc
Relative distinguished name of the zone.
dnsProperty
Binary formatted string that stores configuration information
about the zone.
msDS-Approx-Immed-
Subordinates

Approximate number of nodes contained within the zone. This is
new to Windows Server 2003.
Table 13-2. Attributes of dnsNode objects
Attribute Description
dc
Relative distinguished name of the node.
dnsRecord
Binary formatted multivalued attribute that stores the resource records
associated with the node.
dnsTombstoned
Boolean that indicates whether the node is marked for deletion. FALSE means
it is not and TRUE means that it is.
Recipe 13.1 Creating a Forward Lookup Zone
13.1.1 Problem

You want to create a forward lookup zone. A forward lookup zone maps names to IP addresses
or other names.
13.1.2 Solution
13.1.2.1 Using a graphical user interface
1. Open the DNS Management snap-in.
2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS
in the left pane and select Connect to DNS Server. Select This computer or The following
computer, enter the server you want to connect to (if applicable), and click OK.
3. Expand the server in the left pane and click on Forward Lookup Zones.

412
4. Right-click on Forward Lookup Zones and select New Zone.
5. Click Next.
6. Select the zone type and click Next.
7. If you selected to store the zone data in Active Directory, next you will be asked which
servers you want to replicate the DNS data to. Click Next after you make your selection.
(This only applies for Windows Server 2003).
8. Enter the zone name and click Next.
9. Fill out the information for the remaining screens. They will vary depending on if you are
creating a primary, secondary, or stub zone.
13.1.2.2 Using a command-line interface
The following command creates an AD-Integrated zone:
> dnscmd <DNSServerName> /zoneadd <ZoneName> /DsPrimary
13.1.2.3 Using VBScript
' This code creates an AD-Integrated forward zone.
' SCRIPT CONFIGURATION
strServer = "<DNSServerName>" ' e.g. dc1.rallencorp.com
strNewZone = "<ZoneName>" ' e.g. othercorp.com
' END CONFIGURATION


set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")
set objDNSZone = objDNS.Get("MicrosoftDNS_Zone")
strNull = objDNSZone.CreateZone(strNewZone, 0 , True)
WScript.Echo "Created zone " & strNewZone
13.1.3 Discussion
13.1.3.1 Using a command-line interface
When you create an AD-integrated zone with the
/DsPrimary switch, you can additionally
include a /dp switch and specify an application partition to add the zone to. Here is an example:
> dnscmd /zoneadd <ZoneName> /DsPrimary /dp domaindnszones.rallencorp.com
13.1.3.2 Using VBScript
The DNS WMI Provider is Microsoft's first comprehensive DNS API. You can create and
modify zones, query and manage resource records, and manipulate DNS server configuration. In
the VBScript solution, the
CreateZone method of the MicrosoftDNS_Zone class was used to
create the forward zone.

413
13.1.4 See Also
Recipe 13.2 for creating a reverse lookup zone, MS KB 323445 (HOW TO: Create a New Zone
on a DNS Server in Windows Server 2003), MSDN: DNS WMI Provider, and MSDN:
CreateZone Method of the MicrosoftDNS_Zone Class
Recipe 13.2 Creating a Reverse Lookup Zone
13.2.1 Problem
You want to create a reverse lookup zone. A reverse lookup zone maps IP addresses to names.
13.2.2 Solution
13.2.2.1 Using a graphical user interface
1. Open the DNS Management snap-in.
2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS
in the left pane and select Connect to DNS Server. Select This computer or The following

computer, enter the server you want to connect to (if applicable), and click OK.
3. Expand the server in the left pane and click on Reverse Lookup Zones.
4. Right-click on Reverse Lookup Zones and select New Zone.
5. Click Next.
6. Select the zone type and click Next.
7. If you selected to store the zone data in Active Directory, next you will be asked which
servers you want to replicate the DNS data to. Click Next after you make your selection.
(This only applies for Windows Server 2003).
8. Type the Network ID for the reverse zone or enter a reverse zone name to use.
9. Fill out the information for the remaining screens. They will vary depending on if you are
creating a primary, secondary, or stub zone.
13.2.2.2 Using a command-line interface
The following command creates an AD-integrated reverse zone:
> dnscmd <DNSServerName> /zoneadd <ZoneName> /DsPrimary
13.2.2.3 Using VBScript
' This code creates an AD-integrated reverse zone.
' SCRIPT CONFIGURATION
strServer = "<DNSServerName>" ' e.g. dc1.rallencorp.com
strNewZone = "<ZoneName>" ' e.g. 8.10.192.in-addr.arpa.
' END CONFIGURATION

set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")
set objDNSZone = objDNS.Get("MicrosoftDNS_Zone")
strNull = objDNSZone.CreateZone(strNewZone, 0 , True)
WScript.Echo "Created zone " & strNewZone

414
13.2.3 Discussion
Creating a reverse zone is very similar to creating a forward zone. See Recipe 13.1 for more
information.

13.2.4 See Also
MS KB 323445 (HOW TO: Create a New Zone on a DNS Server in Windows Server 2003) and
MSDN: CreateZone Method of the MicrosoftDNS_Zone Class
Recipe 13.3 Viewing a Server's Zones
13.3.1 Problem
You want to view the zones on a server.
13.3.2 Solution
13.3.2.1 Using a graphical user interface
1. Open the DNS Management snap-in.
2. Right-click on DNS in the left pane and select Connect to DNS Server.
3. Enter the server you want to connect to and click Enter.
4. In the left pane, expand the server and click Forward Lookup Zones and Reverse Lookup
Zones to view the supported zones.
13.3.2.2 Using a command-line interface
> dnscmd <DNSServerName> /enumzones
13.3.2.3 Using VBScript
' This code lists the zones that are supported by the specified server.
' SCRIPT CONFIGURATION
strServer = "<DNSServerName>" ' e.g. dc1.rallencorp.com
' END CONFIGURATION

set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")
set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")
set objZones = objDNS.ExecQuery("Select * from MicrosoftDNS_Zone " & _
"Where DnsServerName = '" & _
objDNSServer.Name & "'")
WScript.Echo "Zones on " & objDNSServer.Name
for each objZone in objZones
WScript.Echo " " & objZOne.Name
next

13.3.3 Discussion
13.3.3.1 Using a graphical user interface

415
When you click on either the Forward Lookup Zones or Reverse Lookup Zones in the left pane,
the right pane contains a Type column that displays the zone type for each zone.
13.3.3.2 Using a command-line interface
When using the
/enumzones switch without any more parameters, it displays all zones on the
server. You can specify additional filters that limit the types of zones returned. With the
Windows 2000 version of
dnscmd, you can specify up to two filters:
Filter1:
/Primary
/Secondary
/Cache
/Auto-Created
Filter2:
/Forward
/Reverse
With the Windows Server 2003 version of dnscmd, the filter behavior has changed. Instead of
having two levels of criteria you can specify one or more of the following:
/Primary
/Secondary
/Forwarder
/Stub
/Cache
/Auto-Created
/Forward
/Reverse

/Ds
/File
/DomainDirectoryPartition
/ForestDirectoryPartition
/CustomDirectoryPartition
/LegacyDirectoryPartition
/DirectoryPartition <PartitionName>
13.3.3.3 Using VBScript
A WQL query was used to find all MicrosoftDNS_Zone objects. You can add additional criteria
to the WQL Select statement to return a subset of zones supported on the server.
13.3.4 See Also
MSDN: MicrosoftDNS_Zone

416
Recipe 13.4 Converting a Zone to an AD-Integrated
Zone
13.4.1 Problem
You want to convert a primary zone to an AD-integrated zone. This causes the contents of the
zone to be stored and replicated in Active Directory instead of in a text file.
13.4.2 Solution
13.4.2.1 Using a graphical user interface
1. Open the DNS Management snap-in.
2. Right-click on DNS in the left pane and select Connect to DNS Server.
3. Enter the server you want to connect to and click Enter.
4. If you want to convert a forward zone, expand the Forward Lookup Zone folder. If you
want to convert a reverse zone, expand the Reverse Lookup Zone folder.
5. Click on the zone you want to convert, then right-click it and select Properties.
6. Beside Type, click the Change button.
7. Check the box beside Store the zone in Active Directory.
8. Click OK twice.

13.4.2.2 Using a command-line interface
> dnscmd <ServerName> /zoneresettype <ZoneName> /DsPrimary
13.4.2.3 Using VBScript
' This code converts a zone to AD-integrated.
' SCRIPT CONFIGURATION
strZone = "<ZoneName>" ' e.g. rallencorp.com
strServer = "<ServerName>" ' e.g. dc1.rallencorp.com
' END CONFIGURATION

set objDNS = GetObject("winMgmts:\\" & strServer & "\root\MicrosoftDNS")
set objDNSServer = objDNS.Get("MicrosoftDNS_Server.Name="".""")
set objDNSZone = objDNS.Get("MicrosoftDNS_Zone.ContainerName=""" & _
strZone & """,DnsServerName=""" & _
objDNSServer.Name & """,Name=""" & strZone & """")
strNull = objDNSZone.ChangeZoneType(0, True)
objDNSZone.Put_
WScript.Echo "Converted " & strZone & " to AD-Integrated"
13.4.3 Discussion
See Introduction in Chapter 13 and Recipe 13.5 for more on AD-integrated zones.

417
13.4.4 See Also
MS KB 198437 (How to Convert DNS Primary Server to Active Directory Integrated), MS KB
227844 (Primary and Active Directory Integrated Zones Differences), and MSDN:
ChangeZoneType Method of the MicrosoftDNS_Zone Class
Recipe 13.5 Moving AD-Integrated Zones into an
Application Partition

This recipe requires the Windows Server 2003 domain functional level.


13.5.1 Problem
You want to move AD-integrated zones into an application partition.
13.5.2 Solution
13.5.2.1 Using a graphical user interface
1. Open the DNS Management snap-in.
2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS
in the left pane and select Connect to DNS Server. Select This computer or The following
computer, enter the server you want to connect to (if applicable), and click OK.
3. Expand the server in the left pane and expand either Forward Lookup Zones or Reverse
Lookup Zones depending on the type of zone.
4. Click on the name of the zone.
5. Right-click on the zone and select Properties.
6. Click on the Change button beside Replication.
7. Select the application partition you want to move the zone into.
8. Click OK twice.
13.5.2.2 Using a command-line interface
The following command will move a zone to the default application partition that replicates
across all domain controllers that are DNS servers in the domain:
> dnscmd <DNSServerName> /zonechangedirectorypartition <ZoneName> /domain
13.5.2.3 Using VBScript
At the time of publication of this book, the DNS WMI Provider did not support
programmatically moving a zone into an application partition.

418
13.5.3 Discussion
With Windows 2000 Active Directory, if you had AD-integrated zones, those zones were
replicated to every domain controller in the domain where they were stored. In many cases, not
every domain controller also serves as a DNS server, which results in increased and unnecessary
traffic to replicate changes with the zone(s).
Windows Server 2003 provides an elegant solution to this issue by using application partitions.

Application partitions are user-defined partitions that can be configured to replicate with any
domain controller in a forest. This provides a lot more flexibility for how you store and replicate
your AD-integrated zones. You could, in fact, have a couple domain controllers from each
domain act as DNS servers for all of your AD domains.
13.5.4 See Also
Chapter 17 for more information on application partitions
Recipe 13.6 Delegating Control of a Zone
13.6.1 Problem
You want to delegate control of managing the resource records in a zone.
13.6.2 Solution
13.6.2.1 Using a graphical user interface
1. Open the DNS Management snap-in.
2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS
in the left pane and select Connect to DNS Server. Select This computer or The following
computer, enter the server you want to connect to (if applicable), and click OK.
3. Expand the server in the left pane and expand either Forward Lookup Zones or Reverse
Lookup Zones depending on the type of zone.
4. Click on the name of the zone.
5. Right-click on the zone and select Properties.
6. Click on the Security tab.
7. Click the Add button.
8. Use the Object Picker to locate the user or group to which you want to delegate control.
9. Under Permissions, check the Full Control box.
10. Click OK.
13.6.2.2 Using a command-line interface
The following command grants full control over managing the resource records in an AD-
Integrated zone:

419
> dsacls dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN> /G[RETURN]

<UserOrGroup>:GA;;
13.6.2.3 Using VBScript
' This code grants full control for the specified user or group over
' an AD-Integrated zone.
' SCRIPT CONFIGURATION
strZoneDN = "dc=<ZoneName>,cn=MicrosoftDNS,<DomainOrAppPartitionDN>"
strUserOrGroup = "<UserOrGroup>" ' e.g. or RALLENCORP\joe
' END CONFIGURATION

set objZone = GetObject("LDAP://" & strZoneDN)
'############################
' Constants
'############################

' ADS_ACETYPE_ENUM
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5

' ADS_FLAGTYPE_ENUM
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1

' ADS_RIGHTS_ENUM
Const ADS_RIGHT_GENERIC_ALL = &h10000000

'############################
' Create ACL
'############################

set objSD = objZone.Get("ntSecurityDescriptor")
set objDACL = objSD.DiscretionaryAcl


' Full Control
set objACE1 = CreateObject("AccessControlEntry")
objACE1.Trustee = strUserOrGroup
objACE1.AccessMask = ADS_RIGHT_GENERIC_ALL
objACE1.AceFlags = 0
objACE1.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE1.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT

objDACL.AddAce objACE1

'############################
' Set ACL
'############################
objSD.DiscretionaryAcl = objDACL
objZone.Put "ntSecurityDescriptor", objSD
objZone.SetInfo
WScript.Echo "Delegated control of " & strZoneDN & " to " & strUserOrGroup
13.6.3 Discussion
By default, members of the DNSAdmins group have control over DNS server and zone
configuration. You can delegate control of individual AD-integrated zones by modifying

420
permissions on the zone object in AD. The solutions show examples for how to grant Full
Control to a user or group over a particular zone.
13.6.4 See Also
MS KB 256643 (Unable to Prevent DNS Zone Administrator from Creating New Zones)
Recipe 13.7 Creating and Deleting Resource Records
13.7.1 Problem
You want to create and delete resource records.
13.7.2 Solution

13.7.2.1 Using a graphical user interface
1. Open the DNS Management snap-in.
2. If an entry for the DNS server you want to connect to does not exist, right-click on DNS
in the left pane and select Connect to DNS Server. Select This computer or The following
computer, enter the server you want to connect to (if applicable), and click OK.
3. If you want to add or delete a record in a forward zone, expand the Forward Lookup Zone
folder. If you want to add or delete a record for a reverse zone, expand the Reverse
Lookup Zone folder.
To create a resource record, do the following:
4. In the left pane, right-click the zone and select the option that corresponds to the record
type you want to create—e.g., New Host (A).
5. Fill in all required fields.
6. Click OK.
To delete a resource record, do the following:
7. In the left pane, click on the zone the record is in.
8. In the right pane, right-click on the record you want to delete and select Delete.
9. Click Yes to confirm.
13.7.2.2 Using a command-line interface
To add a resource record, use the following command:
> dnscmd <DNSServerName> /recordadd <ZoneName> <NodeName> <RecordType>
<RRData>
The following command adds an A record in the rallencorp.com zone: