CHAPTER 5
DNS AND ACTIVE DIRECTORY INTEGRATION
For Microsoft Windows 2000 Server, the Domain Name System (DNS) service has been carefully
integrated into the design and implementation of Active Directory. When deploying Active Directory
and Windows 2000 Server together:
DNS name resolution is needed to locate Windows 2000 domain controllers. The Netlogon service
uses DNS server support for the service (SRV) resource record to provide registration of domain
controllers in your DNS domain namespace. Remember the Netlogon is the source in the Eventviewer
for the DNS errors that can occur.
Active Directory can be used to store, integrate, and replicate zones.
Lesson 1:
Understanding DNS Name Resolution
The DNS service provides name resolution for clients running Windows 2000. With name resolution,
users can access servers by name rather than having to use IP addresses that are difficult to remember.
Name Resolution
Name resolution is the process of resolving DNS names to IP addresses. Name resolution is similar to
looking up a name in the telephone boot, where the name is associated with a telephone number. DNS
resolves www.microsoft.com to its associated IP address, 207.46.130.149. The mapping of names to
IP addresses is stored in the DNS distributed database.
IP Addressing
An IP address identifies each host that communicates by using TCP/IP. Each 32-bit IP address is
separated internally into two parts, a network ID and a host ID.
within a larger TCP/IP internetwork
(a network of networks). All the systems
that attach
and share access to the same network have a common network
ID within their full IP
address. This ID is
also used to uniquely identify each network within the larger
internetwork.
=====================================================================
winads5.html PAGE 2 2002/02/08
The host ID is also known as host address, identifies a TCP/IP node (a workstation, server, router,
or other TCP/IP device) within each network. The host ID for each device for each device identifies
a single system uniquely within its own network.
Here is an example of
a 32-bit IP address:
10000011 01101011 00010000 11001000
To make IP addressing easier, IP addresses are expressed in dotted decimal notation. The 32-bit IP
address is segmented into four 8-bit octets. The octets are coverted to decimal (base-10 numbering
system) and separated by periods. Therefore, the previous IP address example is 131.107.16.200
when converted to dotted decimal notation.
There are 4
classes: A to E:
======================================================================
Class Range and Description
======================================================================
A 1-126 (127*, can’t use, the loop back)
B 128-191
C 192-223
D 224-239 (Mulitcast)
E 240-247 (Experimental)
======================================================================
Continuing with the sample IP address (131.107.16.200), if the network ID portion (131.107) is
indicated by the first two numbers of the IP address, then the host ID portion (16.200) is indicated
by the last two numbers of the IP address.
Lookup Queries
DNS name servers resolve forward and reverse lookup queries. A forward lookup query resolves a
name to an IP address. A reverse lookup query resolves an IP address to a name. A name server can
only resolve a query for a zone for which it has authority. If a name server cannot resolve the query, it
passes the query to other name servers that can resolve the query. The name server caches the query
results to reduce the DNS traffic on the network.
DNS Zones
Primary – 5 times it will try to contact the Primary one.
Secondary – It will try once if the Primary is not available, and it will immediately go and look for the
Primary again.
=====================================================================
winads5.html PAGE 3 2002/02/08
Frequently used Resource Record Types for DNS:
Forward Lookup Query
The DNS service uses a client/server model for name resolution. To resolve a forward lookup query, a
client passes a query to a local name server. The local name server either resolves a query or queries
another name server for resolution.
For the sample of the Forward Lookup Query see the book page 127:
server.
name-to-IP-address mapping for the client query. The local name server does not have
authority for the Microsoft.com domain, so it passes the query to one of the DNS root
servers, requesting resolution of the host name. The root name server sends back a referral to
the com name servers.
referral to the
The Microsoft name server receives the request. Because the Microsoft name server has
authority for that portion of the domain namespace, it returns the IP address for
www.microsoft.com to the local name server.
Name Server Caching
When a name server is processing a query, it might be required to send out several queries to find the
answer. With each query, the name server discovers other name servers that have authority for a portion
of the domain namespace. The name server caches these query results to reduce network traffic.
=====================================================================
winads5.html PAGE 4 2002/02/08
When a name server receives a query result the following actions take place:
The name server caches the query result for a specified
amount of time, referred to as Time to
Live
(TTL).
NOTE: The zone that provided the query results specifies the TTL. TTL is configured using the DNS
console. The default TL value is 60 minutes.
Once the name server caches the query result, TTL starts counting down from its original value.
When TTL expires, the name server deletes the query result from its cache.
Caching query results enable the name server to resolve other queries to the same portion of the
domain namespace quickly.
NOTE: Use shorter TTL values to help ensure that data about the domain namespace is more
current across the network. Shorter TTL values, however, increase the load on name servers. A
long TTL value decreases the time required to resolve information. However, if a change does occur
(for example, a change in the subnet), the client will not receive the updated information until the TTL
expires and a new query to that portion of the domain namespace is resolved.
Reverse Lookup Query
A reverse lookup query maps an IP address to a name. Troubleshooting tools, such as the NSLOOKUP
command-line utility, use reverse lookup queries to report back host names.
Because the DNS distributed database is indexed by name and not by IP address, a reverse lookup query
would require an exhaustive search of every domain name. To solve this problem, a special second-level
domain called in in-addr-arpa was created.
The in-addr.arpa domain follows the same hierarchical naming scheme as the rest of the domain namespace;
however it is based on IP addresses, not domain names:
subnet mask.
**** See the picture
page 130 ****
=====================================================================
winads5.html PAGE 5 2002/02/08
Lesson Summary
addresses is stored in the DNS distributed database.
he name server for an IP address.
lookup query resolves an IP address to a name.
namespace; however, it is based on IP addresses instead of domain names.
Lesson 2:
Understanding and Configuring Zones
The DNS service allows a DNS namespace to be divided up into zones that store name information about
one or more DNS domains. The zone becomes the authoritative source for information about each DNS
domain name included in a zone.
Zones
The DNS service provides the option of dividing up the namespace into one or more zones, which can then
be stored, distributed, and replicated to other DNS servers. The DNS namespace represents the logical
structure of your network resources, and the DNS zones provide physical storage for these resources.
Zone Planning
When deciding whether or not to divide your DNS namespace to make additional zones, consider the
following reasons to use additional zones:
department within you organization?
servers, improve DNS name resolution performance, or create a more fault-tolerant DNS environment?
the opening of a new branch or site?
=====================================================================
winads5.html PAGE 6 2002/02/08
If you can answer “yes” to one of these questions, it may be useful to add or restructure your namespace
into additional zones. When choosing how to structure zones, you should use a plan that meets the needs
of your organization.
There are two zone lookup types: forward
lookup zones and reverse lookup zones.
Forward Lookup Zones
A forward lookup zone enables forward lookup queries. On name servers, you must configure at least
one forward lookup zone for the DNS service to work. When you install Active Directory using the
Active Directory Installation Wizard and allow the Wizard to install and configure your DNS server, the
wizard automatically creates a forward lookup zone based on the DNS name and specified for the server.
Zone Type
There are three types on zones that you can configure:
Active Directory-integrated. An Active Directory-integrated zone is the master copy of new zone. The
zone uses Active Directory to store and replicate zone files.
Standard primary. A standard primary zone is the master copy of a new zone stored in a standard text file.
You administer and maintain a primary zone on the computer on which you create the zone.
Standard secondary. A standard secondary zone is a replica of an existing zone. Secondary zones are
read-only and are stored in standard text files. A primary zone must be configured to create a secondary
zone. When creating a secondary zone, you must specify the DNS server, called the master server. That
will transfer zone information to the name server containing the standard secondary zone. You create a
secondary zone to provide redundancy and to reduce the load on the name server containing the primary
zone database file.
Benefits of Active Directory-Integrated Zones
For networks deploying DNS to support Active Directory, directory-integrated primary zones are
strongly recommended and provide the following benefits:
=====================================================================
winads5.html PAGE 7 2002/02/08
a new zone is added to an Active Directory domain.
planning and administration for both DNS and Active Directory.
Zone Name
A zone is named after the highest domain in the hierarchy that the zone encompasses, that is the root
domain for the zone.
Zone File
For the Standard primary forward lookup zone type you must specify a zone file. The zone file is the
zone database file name, which defaults to the zone name with a .dns extension. For example, if your
zone name is Microsoft.com the
default zone database file name is MICROSOFT.COM.DNS.
Master DNS Servers
For the standard secondary forward lookup zone type you must specify the DNS servers from which
you want to copy the zone. You must enter the IP address of one or more DNS servers.
Reverse Lookup Zones
A reverse lookup zone enables reverse lookup queries. Reverse lookup zones are not required.
However, a reverse lookup zone is required to run troubleshooting tools, such as NSLOOKUP,
and to record a name instead of an IP address in Internet Information Services (IIS) log files.
=====================================================================
winads5.html PAGE 8 2002/02/08
Zone Type
For the zone type, select Active Directory-integrated, Standard Primary, or Standard Secondary, as
defined previously.
Reverse Lookup Zone
To identify the reverse lookup zone, type the network ID or the name of the zone.
Zone File
For the standard primary forward lookup zone type, you must specify a zone file. The network ID
and subnet mask determine the default zone file name. DNS reverses the IP octets and adds the
in-addr-arpa suffix. For example, the reverse lookup zone for the 169.254 network becomes
254.169.in-addr.arpa.dns
Resource Records
Resource records are entries in the zone database file that associate DNS domain names to related
data for a given network resource, such as an IP address. There are many different types of
resource records. When a zone is created, DNS automatically adds two resource records: The
Start of Authority (SOA) and the Name Server (NS) records.
======================================================================
Resource Record Type Description
======================================================================
Host (A) Lists the host name-to-IP address mappings
For a forward lookup zone.
Alias (CNAME) Creates an alias, or alternate name, for the
Specified host name.
Host Information (HINFO) Identifies the CPU and operating system
used by the host.
Mail Exchanger (MX) Identifies which mail exchanger to
Contact for a specified domain and in
What order to use each mail host.
Name Server (NS) Lists the name servers that are assigned
to a particular domain.
=====================================================================
winads5.html PAGE 9 2002/02/08
Pointer (PTR) Points to another part of the domain
namespace. For example, in a reverse
Lookup zone, it lists the IP-address-to-
Name mapping
Service (SRV) Identifies which servers are hosting a
particular service.
Start of Authority (SOA) Identifies which name server is the
authoritative source of information
for data within this domain. The first
record in the zone database file must be
the SOA record.
==========================================================================
Delegating Zones
A zone starts as a storage database for a single DNS domain name. If other domains are added below the
domain used to create the zone, these domains can either be part of the same zone or part of another zone.
Once a subdomain is added it can then be:
When you delegate zones within a namespace, you must also create SOA resource records to point to the
authoritative DNS server for the new zone. This is necessary both to transfer authority and to provide correct
referral to other DNS servers and clients of the new servers being made authoritative for the new zone.
Configuring Dynamic DNS
You can configure a list of authorized servers to initiate dynamic updates. This list can include secondary name
servers, domain controllers, and other servers that perform network registration for clients, such as servers
running the Dynamic Host Configuration (DHCP) service or Microsoft Windows Internet Name Service
(WINS).
=====================================================================
winads5.html PAGE 10 2002/02/08
DDNS and DHCP
DDNS interacts with the DHCP service to maintain synchronized name-to-IP mappings for network hosts.
By default, the DHCP service allows clients to add their own A (Host) records to the zone, and the DHCP
service adds the PTR resource record to the Zone. The DHCP service cleans up both the A and PTR
resource records in the zone when the lease expires.
Lesson Summary:
which can then be stored, distributed, and replicated to other DNS servers. The DNS
namespace represents the logical structure of your network resources, and DNS zones
provide physical storage of these resources.
primary zones are strongly recommended and provide the following benefits: multimaster
update and enhanced security, automatic zone replication when new domain controllers are
added, simplified administration with integrated namespace storage, and faster replication.
and clients within a network automatically update the zone database files.
Lesson 3:
Zone Replications and Transfer
Zone transfer is the process by which DNS server interact to maintain and synchronize authoritative
name data.
Zone Replication and Zone Transfers
Because of the important role that zones play in DNS, it is intended that they be available from more
than one DNS server on the network, to provide availability and fault tolerance when resolving name
queries. Otherwise, if a single server is used and that server is not responding, queries for names in
the zone can fail. For additional servers to host a zone, zone transfers are required to replicate and
synchronize all copies of the zone used at each server configured to host the zone.
When structuring your zones, there are several good reasons to use additional DNS servers for zone
replication:
=====================================================================
winads5.html PAGE 11 2002/02/08
resolved for clients if a primary server for the zone stops responding.
a DNS server to the opposing side of a low-speed wide area network (WAN) link can be
useful in managing and reducing network traffic.
When a new DNS server is added to the network and is configured as a new secondary server for an
existing zone, it performs a full zone transfer (AXFR) to obtain and replicate a full copy of resource
records for the zone.
Incremental Zone Transfers
IXFR is described in RFC 1995 as an additional DNS standard for replicating DNS zones. IXFRs
provide a more efficient method of propagating zone changes and updates.
With IXFR zone transfers, differences between the source and replicated versions of the zone are first
determined. If the zones are identified to be the same version – as indicated by the serial number field
in the SOA resource record of each zone, no transfer is made.
Example: Zone
Transfer
In addition to a manual initiation, a zone transfer occurs during any of the following scenarios:
Zone transfers are always initiated by the secondary server for a zone and sent to the DNS server
configured as its source for the zone. The DNS server can be any other DNS server that loads the
zone, either a primary or another secondary server. When the source server receives the request for
the zone, it can replay with either a partial or full transfer of the zone.
**** See the example
of page 145 ***
=====================================================================
winads5.html PAGE 12 2002/02/08
NOTE: For Windows 2000 Server, incremental zone transfer through IXFR query is supported. For
earlier versions of the DNS service running in Windows NT Server 4.0, and for many other DNS server
implementations, incremental zone transfer is not available and only full-zone (AXFR) queries and
transfers are used to replicate zones.
DNS Notification
The DNS service supports DNS notification, which is an updated version of the DNS standard
specification (RFC 1996). DNS notification implements a push mechanism for notifying a select set
of secondary servers for a zone when a zone is updated. The notified servers can then initiate the
zone transfer process and pull changes from the notifying server to update the zone.
Use DNS notification only to notify DNS servers that are operating as secondary servers for a zone.
For replication of directory-integrated zones, DNS notification is not needed. This is because any
DNS servers that load a zone from Active Directory automatically poll the directory approximately
once every 15 minutes (depending on the SOA refresh interval setting) to update and refresh the
zone.
DNS Notify Process
The local zone on the DNS server acting as a source for the zone to other servers is update. When
the zone is updated at the source, the serial number field in the SOA record also updates, indicating
a new local version of the zone.
The source server sends a notify message to other servers specified on the Notify screen.
All secondary servers that receive the notification message can then respond by initiating a zone transfer
request back to the notifying server. The normal zone transfer process can then continue as described
n the previous section.
Lesson Summary:
server for an existing zone, it performs a full initial transfer of the zone to obtain and
replicate a full copy of resource records for the zone. For Windows 2000 Server, the
DNS service supports incremental zone transfer, a revised, more efficient DNS zone
transfer process for intermediate changes.
=====================================================================
winads5.html PAGE 13 2002/02/08
servers for a zone when a zone is updated.
directory-integrated zones, DNS notification is not needed.
Lesson 4:
Monitoring and Troubleshooting DNS for Active Directory
Monitoring DNS Servers
Windows 2000 Server includes two options for monitoring DNS servers:
Default logging of DNS server event messages to the DNS server log.
Optional debug options for trace logging to a text file on the DNS server computer.
DNS Server Event Logging:
For Windows 2000 Server, DNS server event messages are kept separate from events raised by
other applications and service in the DNS server log, which can be viewed using Event Viewer.
The DNS server log, contains basic predetermined events logged by the DNS server service,
such as when the DNS server starts and stops.
Debug Options
The DNS console allows you to set additional logging options to create a temporary trace log as a
text-based of DNS server activity. The file created and used for this feature, DNS.LOG, is stored
in the systemroot\System32\Dns folder.
By default, all debug logging options are disabled. When selectively enabled, the DNS
server service can perform additional trace-level logging of selected types of events or messages for
general troubleshooting and
debugging for the server.
**** See the charts
on page 150 to 151 ***
=====================================================================
winads5.html PAGE 14 2002/02/08
Lesson Summary: