Changes to DNS in Windows Server 2003
By David Pracht
This overview discusses the changes made to Domain Name System (DNS) in Windows Server 2003.
Overview of the changes
Corrected issues DNS auto configuration in DCpromo Application directory partitions Stub zones Conditional forwarders Client DNS group policy DNS security extensions DNS extension mechanism DNS logging enhancements Round robin update Active Directory® domain rename
– The Active Directory name is now forced as the domain suffix
Root Zone Issue
– A root zone must be created manually
Island Server Issue
– DNS servers register their DsaGuid._msdcs.<forestname> record with each DNS server that is a member of the domain
DNS Auto Configuration in DCpromo
Client DNS settings automatically update if one of the following scenarios are met: There is a single network connection The preferred and alternate DNS settings match on all interfaces DNS settings exist only on one connection
DNS Auto Configuration Process
1. 2. 3. 4.
Query current DNS servers specified in network settings. Update root hints using the largest set found. Configure forwarders with the current preferred and alternate DNS servers. Configure DNS settings with 127.0.0.1 and then configure all previous preferred and alternate DNS servers. If successful, log in Event Viewer.
If No Root Hints Found
If no root hints are found, log the following event: The DNS server could not configure network connections of this computer with the DNS server running on the computer as the preferred DNS server because this computer is connected to the networks with different DNS namespaces. You must manually configure the local DNS server to perform name resolution on one or more of the namespaces before you can modify the preferred DNS servers (part of the TCP/IP configuration) of the network connections. If the network connections of this computer are not configured with the DNS server running on the computer as the preferred DNS server, this computer may not be able to dynamically register the domain controller locator DNS records in DNS. Absence of these records in DNS may prevent other Active Directory domain members and domain controllers from locating this domain controller. Take the following steps: Ensure that DC locator DNS records enumerated in the %WinRoot%./System32/config/netlogon.dns file are registered on the local DNS server. If these records are not registered in DNS, add a delegation to this server to a parent DNS zone for the zone matching the name of the Active Directory domain or configure the local DNS server with appropriate root hints and forwarders, if necessary, and configure the network connections of the computer with the DNS server running on the computer as the preferred DNS server. Note that other computers using other DNS servers as the preferred or alternate DNS server may not be able to locate this domain controller unless the DNS infrastructure is properly configured.
Application Directory Partitions
In Microsoft® Windows® 2000, if the DNS server is configured to use Active Directory Integrated zones, then the DNS zone data is stored in the domain naming context (DNC) partition of Active Directory. Every object created in the DNC, which includes DNS zones and nodes (DNS names, such as microsoft.com), are replicated to all the GC’s in the domain. Conversely, in Windows Server 2003, application directory partitions enable storage and replication of DNS zones stored in the nondomain naming context (NDNC) partition of Active Directory. By using application directory partitions to store the DNS data, essentially all DNS objects are removed from the GC. This is a significant reduction in the number of objects that are normally stored in the GC.
Zone Replication Options
All DNS servers in the Active Directory forest
– The zone data is replicated to all the DNS servers running on domain controllers in all domains of the Active Directory forest.
All DNS servers in a specified Active Directory domain
– The zone data is replicated to all DNS servers running on domain controllers in the specified Active Directory domain. This option is the default setting for Active Directory-integrated DNS zone replication.
All domain controllers in the Active Directory domain All domain controllers specified in the replication scope of an application directory partition
To Create or Delete an application directory partition
1. 2. 3. 4. 5. 6. 7.
Open a command prompt. Type ntdsutil. At the ntdsutil command prompt, type domain management. At the domain management command prompt, type connection. At the connection command prompt, type connect to server
At the connection command prompt, type quit. At the domain management command prompt, do one of the following:
To create an application directory partition, type create nc
ApplicationDirectoryPartition DomainController. ApplicationDirectoryPartition.
To delete an application directory partition, type delete nc
Allow a parent domain to automatically identify the DNS servers in a child domain. Only contain the SOA, NS, and A records. The DNS server is able to query NS directly instead of through recursion with root hints. Changes to zones are made when the master zone is updated or loaded. The local list of master zones define physically local servers from which to transfer.
Stub Zone Viewed From DNS Manager
Local List of Master Servers
Master servers are DNS servers that the stub zone will contact to retrieve the necessary resource records. To force replication with a specific set of servers, select the Use the list above as a local list of masters check box on the General tab of the stub zone properties. This option will only be available if the zone is stored in Active Directory. The list is kept in the registry and not replicated in Active Directory.
Stub Zone Properties Tab
Forward DNS queries based on the name in the query to specific servers that have closest match in the order listed. You can disable recursion specifically for each forwarder. Primarily used for managing name resolution between different namespaces in your network.
Forwarders Tab in DNS Properties
Client DNS Group Policy
Central location for configuring many of the DNS client settings. Group policy supersedes any manual or DHCP settings. DNS suffix search list policy is key to transitioning to a NetBIOS-less environment. Update Top Level Domain policy enables Windows XP clients to use a single label domain name.
DNS Group Policies in the Default Domain Policy
Policy Descriptions (1 of 2)
Primary DNS suffix Allows you specify a primary DNS suffix for a group of computers and prevents users, including administrators, from changing it. Dynamic update Determines if dynamic update is enabled. DNS suffix search list When this setting is enabled, if a user submits a query for a single-label name, such as widgets, a local DNS client attaches a suffix, such as microsoft.com, resulting in the query widgets.microsoft.com before sending the query to a DNS server. Primary DNS suffix devolution Determines whether the DNS client performs primary DNS suffix devolution in a name resolution process. Register PTR records Determines whether the registration of PTR resource records is enabled for the computers to which this policy is applied. Registration refresh interval Specifies the registration refresh interval of A and PTR resource records for computers to which this setting is applied. This setting may be applied to computers using dynamic update only.
Policy Descriptions (2 of 2)
Replace addresses in conflicts Determines whether a DNS client that attempts to register its A resource record should overwrite an existing A resource record containing conflicting IP addresses. Register DNS records with connection-specific DNS suffix Determines if a computer performing dynamic registration may register its A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix. TTL set in the A and PTR records Specifies the value for the Time-To-Live (TTL) field in A and PTR resource records registered in the computers to which this setting is applied. Update security level Specifies whether the computers to which this setting is applied use secure dynamic update or standard dynamic update to register DNS records. Update top-level domain zones Specifies whether the computers to which this policy is applied may send dynamic updates to the zones named with a single label name--also known as top-level domain zones, for example, com.
DNS Security Extensions
DNSSEC allows RR’s and zones to have integrity and encryption. Zones and round robins (RR) are signed with a private key. Windows Server 2003 only provides basic support:
– Can only act as secondary zone. – Cannot sign zones or resource records.
DNS server sends both signed and unsigned records in response to a query. Windows Server 2003 client does not authenticate records; it simply passes them to the application.
New DNSSEC Records
KEY: Public key resource record
– Contains the public key.
SIG: Signature resource record
– Contains the signature.
NXT: Next resource record
– Enables the DNS server to inform the client that a particular domain does not exist.
DNS Extension Mechanism
OPT Resource Record As described in RFC 2671, EDNS0 uses an OPT pseudo-RR that is added to the additional data section of either a DNS request or a DNS response to indicate the sender’s ability to handle the extended DNS protocols. It is called a pseudo-RR because it pertains to a particular transport level message and not to any actual DNS data. OPT RR’s are never cached, forwarded, stored in, or loaded from zone files.
DNS Extension Mechanism
Allows DNS server to send User Datagram Protocol (UDP) packets larger than 512 bytes. UDP length is defined in the OPT RR that is part of a DNS query. ENDS0 support is server-side, not clientside. EDNS0 cache: Caches support hosts for one month.
DNS Logging Enhancements
Debug Logging: Most logging options have not changed but the graphical user interface (GUI) has been updated to make it much easier to configure logging for troubleshooting purposes. Enable filtering based on the IP address: Provides additional filtering of the packets to be logged based on IP address. Event Logging tab: Controls the level of events logged.
Event and Debug Logging Tabs
Round Robin Update
You can now specify that certain RR types are not to be round-robin rotated. This is modified using a registry entry called DoNotRoundRobinTypes with a string value containing a list of RR types. The registry is located at HKLM\System\CurrentControlSet\Services\ DNS\Parameters\DoNotRoundRobinTypes.
Active Directory Domain Rename Behavior
Found in the Rendom.exe tool. The DC Locator records associated with the new name are pre-published in the authoritative DNS servers by the netlogon service running on the domain controllers of the domain:
– – – – CNAME<DsaGuid>._msdcs.<DnsForestName> SRV_ldap._tcp.pdc._msdcs.<DnsDomainName> SRV_ldap._tcp.gc._msdcs.<DnsForestName> SRV_ldap._tcp.dc._msdcs.<DnsDomainName>
Verifies the integrity of the domain. This includes the ability to verify the presence or absence of DC Locator resource records on authoritative DNS servers.
Resource Records Affected by a Domain Rename
CNAME<DsaGuid>._msdcs.<DnsForestName> There must be one CNAME record associated with every domain controller in all authoritative DNS servers. This ensures that replication will take place from that domain controller. SRV_ldap._tcp.pdc._msdcs.<DnsDomainName> There must be one SRV record pertaining to the PDC on all authoritative DNS servers. This ensures the functioning of authentication of users and computers. SRV_ldap._tcp.gc._msdcs.<DnsForestName> There must be at least one record pertaining to at least one GC on all authoritative DNS servers. This ensures the functioning of authentication of users and computers. For example, one DNS server may contain a record of this type registered by one GC, while other DNS servers may contain the records of this type registered by other GCs. It is temporarily sufficient, if there is at least one record of this type present on all authoritative DNS servers. The other records will eventually replicate to all authoritative DNS servers. SRV_ldap._tcp.dc._msdcs.<DnsDomainName> There must be at least one record pertaining to at least one domain controller on all authoritative DNS servers. This ensures the functioning of authentication of users and computers. For example, one DNS server may contain a record of this type registered by one domain controller, while other DNS servers may contain the records of this type registered by other domain controllers. It is temporarily sufficient if there is at least one record of this type present on all authoritative DNS servers. The other records will eventually replicate to all authoritative DNS servers.
Microsoft employee Jeff Bryant, Beta Technology Support Professional, Microsoft Corporation Corporation Microsoft internal specifications
Automatic configuration of DNS client during installation of a local DNS server by DCpromo, Levon local
Esibov, and others Esibov,
Group Policies for DNS Client, Levon Esibov, and others Esibov, Domain Based Forwarding, Levon Esibov, and others Esibov, Logging Enhancements, Levon Esibov, and others Esibov, Stub DNS Zones, Levon Esibov, and others DNS Update API Enhancements – Resolve the Island Problem, Levon Esibov, and others Esibov, DNS Zones stored in NDNC, Levon Esibov, and others Esibov, Store DNSSEC records, Levon Esibov, and others Esibov, EDNSO, Levon Esibov, and others Verification of Resource Records crucial to authentication and replication during Domain Rename, replication
Kamal Janardhan, and others Other publications Windows .NET DNS Help and preliminary Windows .NET Server Resource Kit DNS chapters, Resource Michael Cretzman. Cretzman. Windows.NET Server DNS Whitepaper v.61, Steve Hahn, BTS