Get an answer to a common DNS question and learn how to use DHCP to disable NetBT
This month, I have two short topics for you. The first is an answer to a question readers frequently ask me about DNS. The second keeps a promise that I made in a past column to show you how to use DHCP to disable NetBIOS over TCP/IP (NetBT) on your Windows 2000 machines.
Uprooting DNS
Suppose you've set up a Win2K-based DNS server on your network. To configure it, you right-click within the Microsoft Management Console (MMC) DNS snap-in window, then choose Properties. Then, some strange things happen. You can't access the Forwarders tab because it's grayed out, so you can't tell the DNS server to use a forwarder. The Root Hints tab is also grayed out, so you can't change the list of root servers that your DNS server knows about. What's going on?
For some reason, Win2K configured your DNS server as a private root server. Recall that DNS is a hierarchy of names, as in the Fully Qualified Domain Name (FQDN) www.minasi.com.—and yes, that period at the end of the name is deliberate: No DNS name is complete without a period (.) at its end. This name reflects that a machine named www is in a domain named minasi, which is a child domain of the domain named com, which itself is a child domain of the topmost domain of all—the root domain. But we don't spell the root's name out; we represent it with a period. (For information about roots, see "A Root of Your Own," November 1999, InstantDoc ID 7306.) An actual DNS server—13 of them, in fact—contains the DNS records for the root domain. And that domain is queried quite a bit—you typically can't find other domains without first finding the root.
Win2K's DNS server knows that. The first time that you start up a Win2K-based DNS server, it appears to look for the root domain. If the server doesn't find a root domain, it seems—I say "seems" because this behavior appears to be inconsistent—to respond by saying "if I can't find a root, then I must be the only DNS server in the universe" and creating a root domain on itself, in effect disconnecting from the public DNS hierarchy. The server solipsistically decides that it's the authority and that trying to find another DNS server is pointless. Until you cure the server of its delusion, it won't be much good.
Well, let me rephrase that a bit: At times, you might like to have a DNS server unconnected to the public DNS hierarchy. A very secure network, completely disconnected from the Internet, wouldn't need to be able to search the public DNS hierarchy. But in most cases, this situation isn't what you want.
Telling a DNS server that it isn't the root shouldn't be difficult, but it can be frustrating if you don't know how. Here are three ways to introduce your server to the rest of the world. I explain all three so that I can also offer some insight into how to do a bit of under-the-hood work on DNS.
All the methods share the same basic approach: They delete the root domain from your DNS server. The command-line method uses a command called dnscmd.exe from the Win2K Server Tools add-on. You'll need to install the command; you'll find it in the \support\tools folder on the Win2K Server CD- ROM. Then, you can delete the root from your DNS server by typing
dnscmd /zonedelete .
The period at the end of the command is the name of the zone to delete. You must use Dnscmd's /dsdel option if the zone you're deleting is an Active Directory (AD)—integrated zone (although I'm not sure how you'd end up with an AD-integrated root domain). In the command, case doesn't seem to matter.
After you execute the command, I recommend restarting the DNS service. Then, open the DNS snap-in, and you'll see that the Forwarders and Root Hints tabs on the server's Properties page are no longer grayed out.
You can also deroot a DNS server from the DNS snap-in. Open the Forward Lookup Zones folder, and you'll see a folder whose name is simply ".", which, as you now know, is the root domain. Right-click that folder, choose Properties, and check that the zone type is Primary rather than AD-integrated; if the zone is AD-integrated, click Change next to the type and convert the zone to a standard primary zone. Then, in the Forward Lookup Zones folder, right-click the root zone and click Delete. Close the DNS snap-in, restart the DNS Server service, then reopen the DNS snap-in. The Forwarders and Root Hints tabs will no longer be grayed out.
As far as I know, the third uprooting approach works only on a standard primary zone. First, stop the DNS Server service, either from the GUI or by typing
net stop "dns server"
at the command line. Then, edit the registry to remove the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Zones\. subkey (the final period is part of the subkey). Restart the DNS service, and you're back in the public DNS hierarchy.