Learn AD in 15 Minutes a Week: Microsoft DNS - Part 1

Thursday Dec 19th 2002 by Jason Zandri
Share:

Jason Zandri's latest article in the 'Learn Active Directory Design and Administration in 15 Minutes a Week' series takes a 10,000-foot look at Microsoft DNS. Future installments will focus on how DNS provides functionality in an Active Directory network.

Welcome to the 17th installment of "Learn Active Directory Design and Administration in 15 Minutes a Week," a weekly series aimed at current IT professionals preparing to write the new Windows Active Directory Design and Administration exams (70-219 and 70-217 respectively), as well as newcomers to the field who are trying to get a solid grasp on this new and emerging directory service from Microsoft.

This installment will take a 10,000-foot look at Microsoft DNS, and in later installments it will center on how it provides functionality in an Active Directory network.

To begin with, DNS provides name resolution by translating computer names to Internet Protocol (IP) addresses so that computers can locate each other. DNS is also the primary naming convention for Windows 2000 domains. In a Windows 2000 network, the names of DNS domains and Active Directory domains often share a common naming structure, and in many cases they are identical. Server1.zandri.net is a valid Windows domain name. If that same server were available to the Internet for access it could also use that naming convention if it was available.

[NOTES FROM THE FIELD] - Microsoft DNS is not a requirement for Active Directory. Microsoft DNS on Windows 2000 is RFC-compliant and allows for the deployment of Active Directory under other DNS implementations. It has been tested to work with Windows NT 4.0, BIND 8.2, BIND 8.1.2, and BIND 4.9.7.

Microsoft DNS under Windows 2000 supports some features not supported under other implementations of DNS.

Feature
Windows
2000
Windows
NT 4.0
BIND
8.2
BIND
8.1.2
BIND
4.9.7
Support for the IETF Internet-Draft "A DNS RR for specifying the location of services (DNS SRV)." (SRV records) Yes Yes
(w/SP4)
Yes Yes Yes
Support for dynamic update Yes No Yes Yes No
Support for secure dynamic update based on the GSS-TSIG algorithm Yes No No No No
Support for WINS and WINS (R records Yes Yes No No No
Support for fast zone transfer Yes Yes Yes Yes Yes
Support for incremental zone transfer Yes No Yes No No
Support for UTF ‑ (8 character encoding) Yes No No No No

BIND version 4.9.7 is the earliest version of BIND that is supported for a Windows 2000 Active Directory environment for DNS support.

DNS identifies domain controllers by the specific services that they provide for the Windows 2000 Active Directory domain so that clients can query DNS to locate a domain controller that provides the needed service.

[NOTES FROM THE FIELD] - This portion of the article is mainly an overview of DNS. Upcoming articles will delve into the Active Directory pieces a little more.

[NOTES FROM THE FIELD] - If This section looks familiar to you, it may be because you have already read my Understanding DNS in Windows XP Professional article. This section is basically a recap of that. If you want you can skip down to the next section titled DNS Zone Overview.

Microsoft DNS Overview

The Microsoft Domain Name System (DNS) is the name resolution service that resolves Uniform Resource Locator names (URLs) and other DNS names into their "true" dotted decimal format. http://www.zandri.net translates into a specific Internet Protocol (IP) address and it is that address resolution that enables users to reach the server destination they are seeking.

There are two different types of DNS lookup, forward and reverse. A forward lookup query resolves a DNS name to an IP address and is the most common DNS query. A reverse lookup query resolves an IP address to a name.

A DNS name server can resolve a query only for a zone for which it has authority. When DNS servers receive a resolution request, they attempt to locate the requested information in their own database.

Two types of queries can be performed in DNS: iterative and recursive.

A DNS resolution query made from a client to a DNS server where the server returns the best answer it can provide based on its local cache or stored zone data is called an iterative query. If the server performing the iterative query does not have an exact match for the name request, it provides a pointer to an authoritative server in another level of the domain namespace. The client system will then query that server and so on and will continue this process until it locates a server that is authoritative for the requested name or until an error is returned, such as name not found, or a time-out condition is met.

A DNS resolution query made from a client to a DNS server in which the server assumes the full workload and responsibility for providing a complete answer to the query is called a recursive query.

If the server cannot resolve the resolution from its own database, it will then perform separate iterative queries to other servers (on behalf of the client) to assist in returning an answer to the recursive query. It will continue this process until it locates a server authoritative for the requested name or until an error is returned, such as name not found or a time-out condition is met.

Client computers generally send recursive queries to DNS servers. Usually the DNS server is set up to make iterative queries to provide an answer to the client.

The following is an example of the query process of a client computer making a request to a DNS server to resolve the Web address of www.zandri.net.

>First the client computer generates a request for the IP address of www.zandri.net by sending a recursive query to the DNS server that it is configured to use in its network configuration. (We'll call this server LOCALCFG)

The second step is for LOCALCFG DNS server, which has received a recursive query, to look it its local database. If it does find that answer locally it is returned. If it is unable to locate an entry for www.zandri.net in its own database, it sends an iterative query to a DNS server that is authoritative for the root of the local domain. (We'll call this server LOCALROOT)

If the LOCALROOT DNS server, which is authoritative for the root domain, has the answer in its local database it sends a response to LOCALCFG. If the LOCALROOT DNS server is unable to locate an entry for www.zandri.net in its database, it sends a reply to the querying DNS server (LOCALCFG) with the IP addresses of DNS servers that are authoritative for the .net domain. (If it were .com it would send the IP addresses of DNS servers that are authoritative for the COM domain. If it were .org it would send the IP addresses of DNS servers that are authoritative for the ORG domain and so on.) We'll call this server DNSNET.

The DNS server that received the client recursive query (LOCALCFG) sends an iterative query to a server that is authoritative for the .net domain (DNSNET).

If the DNS server that is authoritative for the .net domain (DNSNET) has an entry for www.zandri.net in its local cache it will return it to LOCALCFG. If DNSNET is unable to locate an entry for www.zandri.net in its database, it will send a reply to the querying DNS server (LOCALCFG) with the IP addresses of DNS servers that are authoritative for the zandri.net domain. (We'll call this server ZANDRIDNS).

The DNS server that received the client recursive query (LOCALCFG) then sends an iterative query to a server that is authoritative for the zandri.net domain. (ZANDRIDNS)

The DNS server that is authoritative for the zandri.net domain (ZANDRIDNS) locates an entry for www.zandri.net in its database and sends a reply to the querying DNS server (LOCALCFG) with the IP address of www.zandri.net.

The DNS server (LOCALCFG) that received the recursive query sends a reply to the client computer with the IP address of www.zandri.net.

DNS Zone Overview

A DNS zone is a contiguous portion of the domain namespace for which a particular DNS server has authority to resolve DNS queries. DNS namespaces are almost always divided into zones that store name information about one or more DNS domains or portions of a DNS domains.

In the Windows 2000 Active Directory domain structure there are three different zone types.

The Standard Primary zone contains a read/write version of the zone file that is stored in a standard text file. Any changes to the zone are recorded in that file and that file only. Any other copies of that zone are Secondary zone copies and are read only

The Standard Secondary zone contains a read-only version of a Primary zone file, and it is stored in a standard text file. Any changes to the zone are performed on the Primary zone file and are replicated to the Secondary zone file. You would create a Standard Secondary zone to create a copy of an existing Primary zone and its zone file, which allows the DNS name resolution workload to be distributed among multiple DNS servers.

Active Directory integrated zones store the DNS zone information in the Active Directory database rather than in a text file. Updates to the Active Directory integrated zone occur automatically during Active Directory replication. You do not need to manually configure DNS servers to specify update intervals as Active Directory maintains the zone information and replicates the information based on its own replication schedule.

The Active Directory integrated option is not available in the Change Zone Type dialog box until you implement Active Directory. If Active Directory is not present in your environment the option will be grayed out in the New Zone Wizard and the Change Zone Type dialog box from the DNS MMC.

DNS zone files contain the name resolution data for a zone and they also include resource records that contain database entries that contain various attributes of network systems. Below is a list of the most common resource records.

(A) records, sometimes called host records or address record, contain the name-to-IP address mapping information used to map DNS domain names to a host IP address on the network.

Alias records, normally referred to as CNAME (canonical name) records allow you to provide additional names to a server that already has a name in an A (host) resource record. This is how a Web server with a name of Server1 in a domain of Zandri.net "becomes" www.zandri.net as far as DNS resolution is concerned. There is an Alias record referencing www.zandri.net to Server1.zandri.net.

MX (Mail Exchanger) records specify the server where e-mail can be delivered in a given domain. When you have a Mail server named Mailbox.zandri.net and you want all mail for all_users@zandri.net to be delivered to this mail server (named Mailbox in this example), the Mail Exchanger resource record must exist in the zone for Zandri.net and must point to Mailbox.

NS (Name Server) records designate the DNS domain names for the servers that are authoritative for a given DNS zone.

PTR (Pointer) records are used for reverse look up queries. A reverse lookup query resolves an IP address to a name.  Reverse lookup zones are created in the in-addr.arpa domain to designate a reverse mapping of a host IP address to a host DNS domain name.

SOA (Start of Authority) records indicate the starting point of authority for a given DNS zone on a specific DNS server. The SOA resource record is the first resource record created when you add a new zone.

SRV (Service) records, sometimes referred to as Service Location records, contain registered services within the zone so that clients can locate these available services by using DNS. SRV records are mainly used to identify services in Active Directory.

 

Well, that wraps up this section of "Learn Active Directory Design and Administration in 15 Minutes a Week." I hope you found it informative and will return for the next installment.

If you have any questions, comments or even constructive criticism, please feel free to drop me a note.

I want to write solid technical articles that appeal to a large range of readers and skill levels and I can only be sure of that through your feedback.

Until next time, best of luck in your studies and remember:



I remember how my mother taught me RELIGION - "You better pray that will come out of the carpet."

Share:
Home
Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved