DNS is the cornerstone of any Windows (and any other operating system) network. You need DNS to support Active Directory, to resolve IP addresses from host names, and to perform reverse lookups so that you can get names from IP addresses. There haven’t been too many changes to the Windows Server DNS since Windows 2000 Server, so I wasn’t expecting too much to happen with the Windows Server 2008 DNS server.
Fortunately, I was wrong! There are a few new things included with the Windows Server 2008 DNS server, unfortunately, the feature that just about everybody wanted, the ability to return host records based on source address of the request, wasn’t included. Such a feature would allow you to host both your internal and external zones in a split DNS infrastructure on the same DNS server. As it stands now, if you use Windows DNS servers, you will need two computers (either physical or virtual) to host your internal and external zones for a split DNS.
However, what you do get are the following new things:
Background zone loading: DNS servers that host large DNS zones that are stored in Active Directory Domain Services (AD DS) are able to respond to client queries more quickly when they restart because zone data is now loaded in the background.
IP version 6 (IPv6) support: The DNS Server service now fully supports the longer addresses of the IPv6 specification. You can create quad A (AAAA) host records and IPv6 pointer records. The zone wizard will walk you through creating both IPv4 and IPv6 forward and reverse lookup zones.
Support for read-only domain controllers (RODCs): The DNS Server role in Windows Server 2008 provides primary read-only zones on RODCs. A RODC is a domain controller that contains a read only copy of the Active Directory, so that RODCs can be placed in areas where physical security is more lax, such as branch offices.
Global single names: The GlobalNames zone provides single-label name resolution for large enterprise networks that do not deploy Windows Internet Name Service (WINS). The GlobalNames zone is useful when using DNS name suffixes to provide single-label name resolution is not practical.
Global query block list: Clients of such protocols as the Web Proxy Auto-Discovery Protocol (WPAD) and the Intra-site Automatic Tunnel Addressing Protocol (ISATAP) that rely on DNS name resolution to resolve well-known host names are vulnerable to malicious users who use dynamic update to register host computers that pose as legitimate servers. The DNS Server role in Windows Server 2008 provides a global query block list that can help reduce this vulnerability.
I’ll do a short article in the future on how to create the Global single names zone. Its pretty simple and it will allow you to rid yourself of WINS servers on your network if you don’t have any NetBIOS applications still running in your organization.
HTH,
Tom
Thomas W Shinder, M.D.
Site: http://www.isaserver.org/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP – Microsoft Firewalls (ISA)