Jason Zandri's latest article in the 'Learn Active Directory Design and Administration in 15 Minutes a Week' series takes a 10,000-foot look at Microsoft DNS. Future installments will focus on how DNS provides functionality in an Active Directory network.
the 17th installment of "Learn Active Directory Design and
Administration in 15 Minutes a Week," a weekly series aimed
at current IT professionals preparing to write the new
Windows Active Directory Design and Administration exams
(70-219 and 70-217 respectively), as well as newcomers to
the field who are trying to get a solid grasp on this new
and emerging directory service from Microsoft.
This installment will take a 10,000-foot look at Microsoft
DNS, and in later installments it will center on how it
provides functionality in an Active Directory network.
with, DNS provides name resolution by translating computer
names to Internet Protocol (IP) addresses so that computers
can locate each other. DNS is also the primary naming
convention for Windows 2000 domains. In a Windows 2000
network, the names of DNS domains and Active Directory
domains often share a common naming structure, and in many
cases they are identical. Server1.zandri.net is a valid
Windows domain name. If that same server were available
to the Internet for access it could also use that naming
convention if it was available.
FROM THE FIELD] -
Microsoft DNS is not a requirement for Active Directory.
Microsoft DNS on Windows 2000 is RFC-compliant and allows
for the deployment of Active Directory under other DNS
implementations. It has been tested to work with Windows NT
4.0, BIND 8.2, BIND 8.1.2, and BIND 4.9.7.
Microsoft DNS under Windows 2000 supports some features not supported under other implementations of DNS.
Support for the IETF Internet-Draft "A DNS RR for specifying the location of services (DNS SRV)." (SRV records)
|Support for dynamic update
|Support for secure dynamic update based on the GSS-TSIG algorithm
|Support for WINS and WINS (R records
|Support for fast zone transfer
|Support for incremental zone transfer
|Support for UTF ‑ (8 character encoding)
BIND version 4.9.7 is the earliest version of BIND that is supported for a Windows 2000 Active Directory environment for DNS support.
DNS identifies domain controllers by the specific services that they provide for the Windows 2000 Active Directory domain so that clients can query DNS to locate a domain controller that provides the needed service.
[NOTES FROM THE FIELD] - This portion of the article is mainly an overview of DNS. Upcoming articles will delve into the Active
Directory pieces a little more.
FROM THE FIELD] - If This section looks
familiar to you, it may be because you have already read my
Understanding DNS in Windows XP Professional
article. This section is basically a recap of that. If you
want you can skip down to the next section titled DNS
Microsoft DNS Overview
The Microsoft Domain Name System (DNS) is the name resolution
service that resolves Uniform Resource Locator names (URLs)
and other DNS names into their "true" dotted decimal format.
http://www.zandri.net translates into a specific
Internet Protocol (IP) address and it is that address
resolution that enables users to reach the server destination
they are seeking.
are two different types of DNS lookup, forward and reverse.
A forward lookup query resolves a DNS name to an IP address
and is the most common DNS query. A reverse lookup query
resolves an IP address to a name.
name server can resolve a query only for a zone for which it
has authority. When DNS
servers receive a resolution request, they attempt to locate
the requested information in their own database.
Two types of queries can be performed in DNS:
iterative and recursive.
resolution query made from a client to a DNS server where
the server returns the best answer it can provide based
on its local cache or stored zone data is called an
iterative query. If the server performing the iterative
query does not have an exact match for the name request, it
provides a pointer to an authoritative server in another
level of the domain namespace. The client system will then
query that server and so on and will continue this process
until it locates a server that is authoritative for the
requested name or until an error is returned, such as name
not found, or a time-out condition is met.
resolution query made from a client to a DNS server in which
the server assumes the full workload and responsibility for
providing a complete answer to the query is called a
If the server cannot resolve the resolution from its own
database, it will then perform separate iterative queries to
other servers (on behalf of the client) to assist in
returning an answer to the recursive query. It will continue
this process until it locates a server authoritative
for the requested name or until an error is returned, such as
name not found or a time-out condition is met.
computers generally send recursive queries to DNS servers. Usually the DNS server is set up to make iterative
queries to provide an answer to the client.
following is an example of the query process of a client
computer making a request to a DNS server to resolve the
Web address of
the client computer generates a request for the IP address
www.zandri.net by sending a recursive query to the DNS
server that it is configured to use in its network
configuration. (We'll call this server LOCALCFG)
The second step is for LOCALCFG DNS server, which has received a
recursive query, to look it its local database. If it does
find that answer locally it is returned. If it is unable to
locate an entry for
www.zandri.net in its own database, it sends an
iterative query to a DNS server that is authoritative for
the root of the local domain. (We'll call this server
LOCALROOT DNS server, which is authoritative for the root
domain, has the answer in its local database it sends a
response to LOCALCFG. If the LOCALROOT DNS server is unable
to locate an entry for
www.zandri.net in its database, it sends a reply to the
querying DNS server (LOCALCFG) with the IP addresses of DNS
servers that are authoritative for the .net domain. (If it
were .com it would send the IP addresses of DNS servers
that are authoritative for the COM domain. If it were .org
it would send the IP addresses of DNS servers that are
authoritative for the ORG domain and so on.) We'll call this
server that received the client recursive query (LOCALCFG)
sends an iterative query to a server that is authoritative
for the .net domain (DNSNET).
If the DNS server that is authoritative for the .net domain (DNSNET) has an entry for
www.zandri.net in its local cache it will return it to
LOCALCFG. If DNSNET is unable to locate an entry for
www.zandri.net in its database, it will send a reply to the
querying DNS server (LOCALCFG) with the IP addresses of DNS
servers that are authoritative for the zandri.net domain.
(We'll call this server ZANDRIDNS).
The DNS server that received the client recursive query (LOCALCFG) then sends an iterative query to a server that is authoritative for the zandri.net domain. (ZANDRIDNS)
server that is authoritative for the zandri.net domain (ZANDRIDNS)
locates an entry for
www.zandri.net in its database and sends a reply to the
querying DNS server (LOCALCFG) with the IP address of
server (LOCALCFG) that received the recursive query sends a
reply to the client computer with the IP address of
DNS Zone Overview
A DNS zone is a contiguous portion of the domain namespace for which a
particular DNS server has authority to resolve DNS queries.
DNS namespaces are almost always divided into zones that
store name information about one or more DNS domains or
portions of a DNS domains.
In the Windows 2000 Active Directory domain structure there are three different zone types.
Standard Primary zone contains a read/write version of
the zone file that is stored in a standard
text file. Any changes to the zone are recorded in that file
and that file only. Any other copies of that zone are
Secondary zone copies and are read only
The Standard Secondary zone contains a read-only version of a Primary zone file, and it is stored in a standard text
file. Any changes to the zone are performed on the Primary
zone file and are replicated to the Secondary zone file. You
would create a Standard Secondary zone to create a copy of
an existing Primary zone and its zone file, which allows the
DNS name resolution workload to be distributed among
multiple DNS servers.
Directory integrated zones
store the DNS zone information in the Active Directory
database rather than in a text file. Updates to the Active
Directory integrated zone occur automatically during Active
Directory replication. You do not need to manually configure
DNS servers to specify update intervals as Active Directory
maintains the zone information and replicates the
information based on its own replication schedule.
Directory integrated option is not available in the Change
Zone Type dialog box until you implement Active Directory.
If Active Directory is not present in your environment the
option will be grayed out in the New Zone Wizard and the
Change Zone Type dialog box from the DNS MMC.
files contain the name resolution data for a zone and they
also include resource records that contain database entries
that contain various attributes of network systems. Below is
a list of the most common resource records.
records, sometimes called host records or address
record, contain the name-to-IP address mapping information
used to map DNS domain names to a host IP address on the
records, normally referred to as CNAME (canonical name)
records allow you to provide additional names to a server
that already has a name in an A (host) resource record. This
is how a Web server with a name of Server1 in a domain of
www.zandri.net as far as DNS resolution is concerned.
There is an Alias record referencing
www.zandri.net to Server1.zandri.net.
MX (Mail Exchanger)
records specify the server where e-mail can be delivered in a given
domain. When you have a Mail server named Mailbox.zandri.net
and you want all mail for firstname.lastname@example.org to be
delivered to this mail server (named Mailbox in this
example), the Mail Exchanger resource record must exist in
the zone for Zandri.net and must point to Mailbox.
records designate the DNS domain names for the servers that
are authoritative for a given DNS zone.
(Pointer) records are
used for reverse look up queries. A reverse lookup query
resolves an IP address to a name. Reverse lookup zones are
created in the in-addr.arpa domain to designate a reverse
mapping of a host IP address to a host DNS domain name.
(Start of Authority)
records indicate the starting point of authority for a given
DNS zone on a specific DNS server. The SOA resource record
is the first resource record created when you add a new
records, sometimes referred to as Service Location
records, contain registered services within the zone so
that clients can locate these available services by using
DNS. SRV records are mainly used to identify services in
Well, that wraps up this section
of "Learn Active Directory Design and Administration in 15
Minutes a Week." I hope
you found it informative and will return for the next
If you have any questions, comments or
even constructive criticism, please feel free to drop me a
I want to write solid technical
articles that appeal to a large range of readers and skill
levels and I can only be sure of that through your feedback.
Until next time, best of luck in your
studies and remember:
I remember how my mother taught me RELIGION - "You better pray that will
come out of the carpet."