Active Directory

DNS

What is DNS?
Internet Protocol
Distributed database Maps hierarchically organized keys to

values

E.g. host name to IP address Mailer records

Name space
Developed to replace hosts file

DNS Namespace

.(

root)

com

mil

org

edu

gov

net

arpa

uk

fr

3com

dell

ati

co

ac

ox

ic
chem

oucs

bnc

DNS Namespace
Hierarchical tree of domains Root Top level domains (gov, edu, com, fr, se, uk etc.) Some countries have subdomains denoting organisation type (e.g. ac.uk, co.uk) Subdomains generally for specific organisations (e.g. mit.edu, microsoft.com etc.) Subdomains within organisation (e.g. oucs.ox.ac.uk) Technically, a domain is the part of the name

space at or below the domain name identifying the domain.

Delegation of Responsibility
Vital to understand this concept
DNS Database is distributed

No one server is responsible for the whole namespace

Given name server is responsible for

part of the namespace

Called a zone Server is authoritative for the zone

Delegation of Authority
Authority is delegated from the top down Cannot simply set up a name server for a

domain and expect clients to resolve names correctly

Will not work

Name servers for parent domain must know

that authority has been delegated to new domain E.g. if new ac.uk domain xxx.ac.uk is created, name servers for ac.uk must be configured with information about name servers responsible for new domain

DNS Queries
Client queries DNS Server
DNS Server

Checks its cache Checks whether it contains the information in its own zone files Queries other name servers iteratively Returns an answer

Iterative Queries

Example client queries name server for IP address of fred.test.com

1. 2. 3. 4. 5.

6.
7.

Sends query to root name servers Root name servers refer to name servers authoritative for com domain Queries com domain name servers com name servers refer to name servers authoritative for test.com domain Queries test.com domain name servers test.com name returns answer Name server returns answer to client

Root hints and Forwarders

Root hints table provides IP addresses

of name servers for root domain

Starting point for iterative queries

DNS server can be configured as

forwarder

Queries for information about which it is not authoritative forwarded to other name servers (forwarders)

Zones
Zone may contain a domain or part of a domain A name server may be authoritative for more

than one zone Should be a minimum of two name servers for a zone (resilience)

One server is primary Start of authority for zone Others are secondaries Updates to primary are replicated to secondaries (zone transfer)

Subsidiary zones can be delegated to other

name servers

DNS Records
A host name to IP address mapping
NS name server MX mailer exchange

SOA start of authority

CNAME canonical name (alias) PTR pointer (IP address to host)

SRV service resource record (2000)

and others

DNS Overview Reference

Domain Name Service (DNS)

http://www.microsoft.com/technet/treeview/ default.asp?url=/TechNet/itsolutions/netwo rk/deploy/confeat/domain.asp

Active Directory and the DNS

Active Directory requires DNS

Used to locate services

E.g.

client locating domain controller Domain controller locating replication partners

Active Directory requires SRV record

support Active Directory prefers dynamic registration (DDNS)

How does AD use the DNS

A 2000 system will attempt to register its

A record in the DNS Domain controllers will attempt to register around 20 SRV records in the DNS Things will break if the correct records for DCs are not in the DNS

Active Directory Namespace

test.com fr.test.com sales.fr.test.com uk.test.com

accounts.fr.test.com

Active Directory Namespace

For the above AD forest structure to

function correctly, all domains must be registered in DNS

test.com fr.test.com uk.test.com sales.fr.test.com accounts.fr.test.com

Records required by DCs

About 20 SRV records required by a DC

Number determined by functions of DC _tcp.sales.fr.test.com _udp.sales.fr.test.com _msdcs.sales.fr.test.com _sites.sales.fr.test.com Also registered in one of these subdomains

Registered in 4 subdomains of domain name

One A record required

Windows 2000 Overview Reference

Windows 2000 DNS White Paper

http://www.microsoft.com/windows2000/do cs/w2kdns.doc

DNS Setup to support AD in Oxford

Various methods of setting up DNS for AD

Can even have different internal host names and internet host names

Oxford chosen to integrate into existing

structure

Carry on using BIND without DDNS for main DNS (security) Delegate four subdomains for each unit to local 2000 DNS servers http://support.microsoft.com/support/kb/articles/Q2 80/4/39.ASP for details of this scenario

Advantages of chosen AD DNS Setup in Oxford

Main DNS remains secure (no dynamic DNS)
Host names controlled at central level Client configuration remains unchanged Only main DNS servers visible outside firewall Allows dynamic DNS for DCs

DCs need this most

Can use Active Directory integrated zones

More secure Multimaster replication

Disadvantages of chosen AD DNS Setup in Oxford

Unit domain name must be identical to

unit DNS name Limited to a single domain per unit

May be seen as an advantage Unlikely to a problem as it might have been for NT because of improvements in 2000 NB Can still group related units together into multi-domain forest if required

Configuring DNS on Domain Controllers in Oxford

http://www.oucs.ox.ac.uk/micros/oss/win

2k/w2koxford.html and follow DNS Instructions link for full instructions Generally

DNS must be configured for everything to work (e.g. replication) DNS for first DC in forest can be configured before or after promotion to DC DNS for subsequent DCs in forest should be configured before promotion to DC

Steps to Configure DNS on the first Domain Controller

1. Delegate authority for subdomains from main
2. 3.

4.

5. 6.

DNS (web form or mail hostmaster) Install DNS on first domain controller (N.B. this can be done before or after promotion to DC) Create and configure _tcp, _udp, _msdcs and _sites subdomains; delete unit domain if you used the wizard to install Ensure DC is configured to use itself as DNS server in TCP/IP configuration Make sure it is all working! If desired, tweak registry to prevent error messages

Steps to Configure DNS on Subsequent Domain Controllers

1.
2. 3.

4.
5. 6. 7.

Ensure the DNS setup on first DC is correct and working before installing other DCs Disable secure updates for all subdomains on first DC Ensure new server is configured to use only the first DC as DNS server in its TCP/IP configuration Promote server to domain controller Make sure that its entries are registered in DNS Enable secure updates for subdomains on first DC If desired, install DNS on new DC

Set as its own DNS server in TCP/IP config

Hints and Caveats

NB the first DC will generally operate correctly without

proper DNS setup; the second will not

May not be able to install AD on 2nd, replication may break Incorrect DNS setup can cause major problems e.g. with replication Never install another DC with an incorrectly functioning DNS

Always check correct registration etc.

Dont turn off Register this connections addresses in the

DNS on DCs

Stops all registrations, including SRV, for SP1 and above http://support.microsoft.com/support/kb/articles/Q280/4/3 9.ASP

Hints and Caveats cont.

Event log error message 5774 will be seen

(sometimes also 5775) because unitname.ox.ac.uk cannot be registered

This record is unnecessary; edit registry to stop this but if so you will need to put in another required entry manually for global catalog servers http://support.microsoft.com/support/kb/articles/Q2 80/4/39.ASP http://support.microsoft.com/support/kb/articles/Q2 58/2/13.ASP

Hints and Caveats cont.

For Active Directory-integrated zones, no

configuration required for DNS servers installed on DCs after first DNS server is and configured

Zone information stored in Active Directory

May be a good idea to set DNS servers up to

forward requests to Oxford DNS servers (forwarders)

Most requests likely to be for Oxford addresses Not currently in the instructions

Hints and Caveats cont.

If you initially set up a test network with no

WAN connection, DNS server may be set up as root server

If so, may be missing root hints table; may be unable to access root hints and forwarders tabs If it exists, delete root domain entry (.) May also need to replace root hints table from sample file (unnecessary if configured to use forwarders) http://support.microsoft.com/support/kb/articles/Q2 29/8/40.ASP http://support.microsoft.com/support/kb/articles/Q2 49/8/68.ASP

Hints and Caveats cont.

Manually adding an SRV record may not

work

e.g. _rvp._tcp.unit.ox.ac.uk for netmeeting

Problem with Snap-In use

dnscmd.exe in Support Tools instead

http://support.microsoft.com/support/kb/arti cles/Q282/5/23.ASP NB Above article is incorrect dnscmd.exe is in Support Tools, not Resource Kit

Hints and Caveats cont.

Netlogon service is responsible for

dynamic DNS registrations

Refreshes registrations every two hours

DNS entries stored in netlogon.dns file in

%systemroot%\winnt\system32\config on DCs Root hints table is called cache.dns in %systemroot%\winnt\system32\dns

Sample copy in samples subdirectory

Setup for Install/DNS Practical

? Set up front desk PC as authoritative

for ad.oucs-public.ox.ac.uk Include zones for dom1.ad.oucspublic.ox.ac.uk etc. Delegate _msdcs, _sites, _tcp, _udp etc. for dom1, dom2 etc. to servers Point servers at front desk PC as DNS server

Installation and DNS Practical

First server to set up DNS as per current

instructions Run dcpromo to install AD on first server Point second server at first server for DNS resolution Dcpromo to install AD on second server Switch DNS on first server to AD Integrated

Installation and DNS Practical

Install DNS on second server and see

how it picks up the AD integrated DNS configuration Look at different options that can be configured Become familiar with records registered Turn off Register this connections addresses in DNS on 2nd server and reboot check effect this has