The Primary Purpose of DNS
Sometimes, particularly in troubleshooting, you have to go back to basics. Keep in mind that the primary point of DNS is to map a server's name to an IP address. Example: LogonServer - 10.209.12.20.Users need a range of resources, from printers and home directories to global catalog servers and Kerberos authentication for logon. The role of DNS is to respond to users requests for the resource by providing the IP address of the servers.
The extra dimension of DNS with Active Directory is the _SRV records. These service records tell you not only the server's IP address but also the services that it offers. Here is a kerberos example: _kerberos 88 (Port) LogonServer.TopBanana.com.
User's perspective - "I want to logon."
DNS with Active Directory - "I will look in the _SRV records for a server which offers Kerberos authentication."
DNS host record - "Here is the IP address of that server you need".
Integrating DNS and Active Directory
The key reason for integrating DNS and AD is efficiency. This is particularly true where you have lots of replication traffic. Even if you have a fast network, it makes sense for DNS changes to be replicated along side Active Directory changes, rather than having their own separate system.Window 2000 (and later) DNS systems use IXFR - Incremental Zone Transfer, this means that only changes are replicated, not the whole database. The disgraceful situation in NT 4.0 was that if you added one DNS record then all records were transferred during the update thus creating unwanted extra network traffic.
Importance of Naming and DNS
DNS names and Active Directory names.
The confusion arises because both DNS and Microsoft's Active Directory use the domain word. It may be better if you think of, and refer to, DNS zones and Active Directory domains. It is often a very good idea to have the DNS zone and the Active Directory name the same. For example DNS zone TopBanana.com, Active Directory root domain TopBanana.com. However this arrangement can add to the confusion unless you are clear about the distinction between DNS and Active Directory.Naming your Active Directory Forest
It is crucial to understand all the implications of your naming conventions, especially the relationship between domain name and DNS name. Learn from the mistakes of others. One urban myth circulating has it that all the first 10 companies who installed Windows 2000 Active Directory, had to go back to the drawing board and start again. What was their problem? In each case they got their naming strategy wrong. (or they did not have a strategy).The first question is are you going to use an existing DNS name? If you are using and existing domain name will you use the same name for your first domain. A supplementary question, will the Root domain, be blank or will it be your HQ domain? There are no right or wrong answers to these questions, what I am saying is that once you make your decisions you have detailed plans to ensure it works and that you do not have to rip it all up and start again.
How many domains do you need, I do have a few here - as few as possible. Good reasons for having more than one domain, multi national company, incompatible security needs, different language versions of Windows 2003. Bad reasons for having a new domain, there is a new manager in division, a region want complete control of its IT.
If you do find this planning to much then either make a single domain work for you, or else employ a network architect who is used to this sorting out these naming dilemmas.
Practical configuration of DNS and DCPROMO
The scenario, you are about to install your first Active Directory domain controller. Remember that when ever you install Windows Server 2003 it begins life as a member server. To install Active Directory go to the Start Menu, then Run, DCPROMO and so create a domain controller. But before you do that check out DNS.Begin in the System Icon, Computer Name (Tab), Change, More.. Primary DNS Suffix of this Computer. Make sure the settings are as per plan.
Double check the Network Connections, Local Area Network, TCP/IP properties, Use the following DNS server address, does this point to itself, or to the correct DNS server. I would fill in both DNS server boxes if you have two DNS servers.
Install DNS through the Add or Remove Programs, Windows Components, Networking Components, Details. DNS. If this is your first server I would run DCPROMO without any more configuration at this stage. My tactic is to let the Wizard add and populate the Forward Lookup Zone.
Seven post installation Active Directory and DNS checks
- Once DCPROMO creates Active Directory records in DNS, then I would create the reverse lookup zone and test it with NSLOOKUP.
- Check the Event Viewer which is now just under the DNS server object. Look up any suspicious error messages in TechNet.
- Right click the DNS server, Properties, Monitor (Tab), Test Now. Should the Recursive query fail investigate the Root Hints. (I have never seen the Simple Query fail.)
- If you are not connected to the internet. You may wish to create a '.' (dot, period, full stop) root domain and point the Root ".) to your domain.
- Many of us believe that you have not proved Active Directory is working properly until you have installed a second domain controller and seen replication of users.
- Set a date to switch to 'Raise Domain Functional Level'. I used to call this switching to Native Mode, but now it is more complex. When you have no more NT 4.0 BDC, raising the domain level turns on features like Universal Groups, group nesting, RAS Policies as well as extra Exchange functionality.
- Once DCPROMO installs Active Directory, then I would check that at least 4 _mcsdcs records are created, if not I would start and stop the Netlogon service check again. Still no _mcsdcs records, I would have a reboot, take a 10 minute break and look again in DNS.
Experience tells me this either DCPROMO works and there is no problem or else it very stubborn. If still no sign of Active Directory records in DNS, I would run DCPROMO, demote and start again at the beginning. In the case of a test installation, I would change the Computer name and the domain suffix before trying again.
What DNS entries (SRV Records) does Windows 2000/2003 add when you create a domain?
In order for Active Directory to function properly, DNS servers must provide support for Service Location (SRV) resource records described in RFC 2052, A DNS RR for specifying the location of services (DNS SRV). SRV resource records map the name of a service to the name of a server offering that service. Active Directory clients and domain controllers use SRV records to determine the IP addresses of domain controllers. Although not a technical requirement of Active Directory, it is highly recommended that DNS servers provide support for DNS dynamic updates described in RFC 2136, Observations on the use of Components of the Class A Address Space within the Internet.
The Windows 2000 DNS service provides support for both SRV records and dynamic updates. If a non-Windows 2000 DNS server is being used, verify that it at least supports the SRV resource record. If not, it must be upgraded to a version that does support the use of the SRV resource record. For example, Windows NT Server 4.0 DNS servers must be upgraded to Service Pack 4 or later to support SRV resource records. A DNS server that supports SRV records but does not support dynamic update must be updated with the contents of the Netlogon.dns file created by the Active Directory Installation wizard while promoting a Windows 2000 Server to a domain controller. The Netlogon.dns file is described in the following section.
So now you understand that Windows 2000 domains rely heavily on DNS entries. If you enable dynamic update on the relevant DNS zones, W2K creates these entries automatically:
- _ldap._tcp.<DNSDomainName>
- _ldap._tcp.<SiteName>._sites.<DNSDomainName>
- _ldap._tcp.pdc._ms-dcs.<DNSDomainName>
- _ldap._tcp.gc._msdcs.<DNSTreeName>
- _ldap._tcp. ._sites.gc._msdcs.<DNSTreeName>
- _ldap._tcp.<DomainGuid>.domains._msdcs.<DNSTreeName>
- <DNSDomainName>
After running DCPROMO, A text file containing the appropriate DNS resource records for the domain controller is created. The file called Netlogon.dns is created in the %systemroot%\System32 config folder and contains all the records needed to register the resource records of the domain controller. Netlogon.dns is used by the Windows 2000 NetLogon service and to support Active Directory for non-Windows 2000 DNS servers.
If you are using a DNS server that supports the SRV resource record but does not support dynamic updates (such as a UNIX-based DNS server or a Windows NT Server 4.0 DNS server), you can import the records in Netlogon.dns into the appropriate primary zone file to manually configure the primary zone on that server to support Active Directory.
Introduction to DNS in Windows Server 2003
This page begins with the basic concepts of DNS and moves on to troubleshooting. The golden rule when dealing with DNS is this, remember that the name of the DNS game is name resolution. By that I mean we humans like friendly names like cisco.com, whereas computer like dotty dot number like 10.1.13.20. What DNS does is to keep a mapping of the two parts:IP Address = 10.1.13.20 - Resource = BigServer.cisco.com
One trait I noticed with DNS is that many of its features come in pairs, this symmetry will help you to remember and to understand how DNS operates.
Query and Registration
Whether you are configuring or whether you are troubleshooting there are two aspects of DNS to consider:a) Registration --> sending information to the DNS server database.
b) Query <-- retrieving IP addresses from the DNS hierarchical system.
RegistrationThe best way to register clients is through DHCP. The DHCP server gives out not only the client's IP address, but also the address of the DNS servers.The good news is that DNS is now dynamic (DDNS). This means that if a client changes it's IP address, then either the client updates DNS directly, or DHCP will act on the clients behalf and send a message to update the (A) Host record in DNS. QueryFrom the client's point of view, when it needs to know the IP address of a resource, it contacts the DNS server(s) named in the TCP/IP property sheet. Best practice is to give out this DNS server IP through DHCP. What you need to configure in DHCP is Option Type 006 - DNS. |
Recursive and Iterative DNS Queries
Recursive
Recursive queries are the default method. A recursive query means that the DNS server takes full responsibility for finding the IP address that the client wants. Take as an example, a client wants to query google.com. It is unlikely that the server is authoritative, or has a Host record for Google.com. So, the DNS server contacts the root server for the IP address of .com servers; it then contacts those .com servers and asks for the IP address of google.com. Finally the DNS server sends the information to the client.Woops! I left out the very first step. The root of the DNS system is a dot (period) "." In Server 2003, the icon representing the DNS server has a 'Root Hints' tab. Here you find the IP addresses of all the top level domains. It is because DNS is hierarchical, that it scales so well, and is superior to WINS which only offers a limited, flat-field system.
"." (Root of DNS)
.com .org .net .edu .mil .gov .co.uk
Iterative
Iterative means the server returns the best answer it can. In the above example the DNS server would say to the client. 'I do not know where google.com is, here is the IP address of the root servers, you go and query them.'Forward and Reverse Lookup
Forward Lookup
A forward query is where you know the hostname, but your operating system needs the IP address to locate the resource. The best way to create your Active Directory forward lookup zone is for DCPROMO to create it when the member server is promoted. Example "DNS, please tell me the IP address of LogonServer". Response from DNS, LogonServer 10.209.12.20.Reverse Lookup
I always think of reverse lookup as a hackers tool, where they know the IP address but want to know the hostname. A classic situation would be that you can ping an IP address, and want to know what the hostname of that address.Ping - 10.209.12.20.
NSLookup - 10.209.12.20 Reply from DNS LogonServer 10.209.12.20.
In fact there are many legitimate reasons for using reverse lookups, authenticating mail servers and troubleshooting with NSLookup to name two. Windows Server 2003 is very friendly in helping you create the reverse zone (technically called in-addra.arpa). Where it is less friendly is that you have to create the PTR or pointer records yourself. However if you are organized and create the reverse lookup zone before you populate the forward lookup zone, then you can check a box saying - "Update Associated Pointer (PTR) Record"
Troubleshooting
Again we have a pair of utilities. IPCONFIG and NSLookup are your key DNS commands. Both are available at the command prompt on Windows 2003, XP and even NT 4.0 machines.IPCONFIG
IPCONFIG has two new switches /registerdns and /flushdns. If you need to add a record to DNS, then IPCONFIG / registerdns will save you a reboot. Perhaps a connection is failing because of stale, invalid, cached IP address, IPCONFIG / flushdns will clear the cache and you can make that connection.There is also another pair of switches, /release and /renew for use when refreshing DHCP leases. Also remember IPCONFIG /all to check on DNS and DHCP server settings.
NSLookup comes in two modes
a) Non-interactive where you just want a quick lookup of a server name, example: NSLookup 10.209.12.20b) Interactive mode which is more difficult to master. Here you type:
NSLookup
>
My best advice when you reach the prompt is to type: help.
Example ls -t NS topbanana.com
This would list all records of type Name Servers in the topbanana.com domain.
If you experiment with NSLookup and nothing happens, then remember that you need a Reverse Lookup Zone with (PTR) pointer records. Once you create those PTR records, NSLookup will return that server name.
I use NSLookup when I am troubleshooting from a client machine and I wish to list the DNS records. It saves a long walk to the DNS server and gets around having to install the AdminPak just to view the DNS records.
No comments:
Post a Comment