DNS and Windows 2000 AD Issues
A critical Windows 2000 Active Directory domain requirement is DNS. It goes without saying that Microsoft recommends its own DNS. For a Microsoft shop, this is no problem. For larger enterprises with heterogeneous networks, with an existing unix-based DNS using BIND, Microsoft's DNS is probably not a good choice. Active Directory requires DNS features available in BIND version 8.1.2, but because of security issues version 8.2.2 or later is recommended. Check the Internet Software Consortium for BIND updates.
The most important AD requirement for DNS servers is support for DNS service resource records (SRV RR). RFC 2782 has the current definition for SRV RR. Resource records in DNS allow clients to query for the IP address of a server by the name of a service as opposed to the name of a computer. DNS versions that don't support SRV RR cannot be used with Microsoft's Active Directory.
Microsoft also recommends support for dynamic updates which is a feature for DNS defined in RFC 2136 that allows clients to dynamically update records in the DNS. But dynamic updates are not really required for Active Directory to function.
There are real advantages if you can use W2K DNS. You can integrate DNS in Active Directory which provides integrated security and redundancy. The DNS database is replicated to the domain controllers and protected by AD discretionary access control lists (DACLs). If the DNS servers are using Active Directory to store their zone data, AD handles the zone replication. Zone transfers are automatic. It shares the AD multi-master characteristic whereas traditional DNS is single-master. W2K DNS supports incremental zone transfers, RFC 1995, when using standard zone files permitting a secondary DNS server to pull only the zone changes that it needs to synchronize its copy of zone data with the primary's zone data. W2K clients can dynamically register and update their DNS records and DHCP will dynamically update the records for downlevel clients (NT, Win9x).
Thus your organization has the DNS options for your Windows 2000 domain:
- Replace existing DNS servers to use Windows 2000 DNS exclusively
highly recommended if it works for your environment
- Upgrade existing non-W2K DNS servers to BIND version 8.2.2 or later
- Implement a mixed DNS environment by using W2K's DNS for the W2K domain only.
Microsoft's W2K DNS supports alternate character set defined in RFC 2181. RFC2181 specifies that a DNS label can be any binary string that does not necessarily need to be interpreted as ASCII. Thus Microsoft suggests the use of UTF-8 character encoding that is a superset of ASCII and a translation of Unicode (not hard to understand why since NT is based on Unicode standards).
To change the naming standard in W2K DNS:
- In the DNS console, right-click on DNS server
- Select Properties
- Select Advanced tab.
- Make your choice in the Name Checking drop-down list
- Strict RFC (ANSI) : RFC 1123, A-Z, 0-9, - (dash)
- Non-RFC (ANSI): adds underscore to ANSI set
- Multibyte (UTF8) : allows UTF8 characters (Microsoft naming standard)
- Any names : allows any character
Operationally, a GUI interface is great for novice administrators but is cumbersome if you have to perform the same task over and over again. Command line tools can be more efficient than GUI tools. Dnscmd.exe is one of the support tools from Support.cab, which is located in the support\tools directory on the Windows 2000 CD.
Dnscmd.exe can be used to:
- Get DNS server info
- Initiate server scavenging
- Enumerate and view zone info
- Create, delete, pause, and resume zones
- Change zone type (standard primary, standard secondary, AD integrated)
- Add, delete, and enumerate records in a zone
dnscmd server1.test.com /ZoneAdd stdprizone.test.com /Primary /file stdprizone.dns
The syntax for adding DNS A records is similar:
Dnscmd server_name /RecordAdd zone_name computer_name A IP_address
To add an A record for testcomp1 with an IP address of 184.108.40.206 in the test.com zone on stdprizone.test.com server:
Dnscmd stdprizone.test.com /RecordAdd test.com testcomp1 A 220.127.116.11
To manually force zone replication:
Dnscmd server_name /ZoneRefresh zone_name
See Microsoft's DNS and AD site with configuration tips and white papers including
- Configuring Windows 2000 DNS to Support Active Directory
- Domain Name Service (DNS)
Chapter 16 from Microsoft Windows 2000 TCP/IP Protocols and Services Technical Reference
- DNS : Setting Up the Domain Name System for Active Directory
- DNS in the Active Directory Tree
- DNS in the Active Directory Tree Part 2: Best Practices, Common Problems, and Troubleshooting
- HOW TO: Convert a DNS Server to a Root DNS Server
- HOW TO: Create a Child Domain in Active Directory and Delegate the DNS Namespace to the Child Domain
- HOW TO: Integrate DNS with Existing DNS Infrastructure If Active Directory Is Enabled in Windows 2000
- Windows 2000 DNS White Paper
- The DNS Place