Guy Recommends
A solution to monitor, manage and archive thousands of
events that are generated by devices across the entire network.
Download FREE
trial
What's new in Windows Server 2003 DNS
The big improvements in Microsoft's DNS came in Windows 2000, however Server 2003 has a surprising number of neat new dynamic DNS features. New DNS Topics for Windows Server 2003
Stub Zones are rather like DNS Secondary zones. The similarity is that both Zones have a read only copy of the server that is authoritative for a child DNS domain. The difference is that Stub Zones have
only 3 records, SOA, NS and A,
whereas Secondary zones have a full set of A records. Finally, the logic is that you create the Stub Zone only in the Root domain and the Stub Zone then has three records for each child domain.
Incidentally, the A (Host) records in the Stub zone are referred to as 'glue' records.
The point of Stub Zones is to streamline administration, improve name resolution and possibly, reduce network traffic. Needless to say, Stub Zones are only needed in large complicated Forests, and are
unnecessary if you only have one domain.
When you need to create a Stub Zone, just call for the DNS snap-in. Right click on the Forward Lookup Zones folder, and follow the wizard.
 DNS is a huge topic, as an MCT trainer, I can thoroughly recommend TrainSignal
because they provide practical hands on training. In particular, I like the way TrainSignal cover all learning methods, instructor lead, video and of course text material. You can either take one module, for example DNS or go for
a combination of modules.
Learn more about DNS 2003 here
These DNS records beginning with an underscore are for servers to locate resources, for example _GC, means Global Catalog and _DC means Domain controller. While these resource records exist in Windows 2000, in
Windows Server 2003 these _MSDCS records have been moved to their own zone. The benefit of this new arrangement is that you can control the resource replication.
For example, you may want to replicate records to all Domain Controllers in the Forest, or perhaps you want to restrict replication to Domain Controllers in the local domain.
Conditional DNS forwarding is rather like taking a short cut. If I am in guybay.com and I am running DNS and I want to contact quickgear.org, then I could go via the root ' . ' domain, then the org
server, then quckgear.org. Or, provided I knew the server IP address in quickgear.org, I could set up conditional forwarding and so take a shortcut.
Configure Conditional Forwarding from the Forwarders tab of the very DNS server (not the forward lookup zone tab). More on Conditional Forwarding
If you are troubleshooting a DNS connectivity problem, for example mail delivery, 404 web pages error, then master Debug Logging. To start Debug Logging navigate to the DNS snap-in, then the server
Icon properties. A bonus of learning about Debug Logging in DNS, is that you can apply the technique to other services, for instance Exchange 2003. More on Debug Logging
In the Windows Server 2003 support folder there is a marvellous utility called DNSLint. What this does is display information about DNS in HTML format. The important features are switches for
Active Directory, MX records. More on DNSLint
Universal Groups sound great, and they are great if you only use them when Global groups would NOT get the job done. Also stick to the best practice of only adding Global Groups to Universal Groups.
My point is avoid adding individual accounts to a security Universal Group.
This is the logon problem that Universal Group Caching solves. A domain controller will not let you logon until it has checked all the Universal groups that you could possible be a member of. The operating system's paranoia is that you
may be a member of a Universal group in a distant part of the forest that has been used to deny permissions. So, unless the domain controller is sure it has enumerated all the Universal groups it will not let
you logon - just in case there is a security violation.
The answer to the security versus speed dilemma is Universal Group Caching. If the domain controller can check the cache for Universal Groups then it can logon the user with the correct security tokens
without troubling domain controllers in other parts of the forest.
Once you have decided to implementing Universal Group Caching, visit the Active Directory Sites and Services. Drill down to Site-name, and find NTDS Site Settings, server, NTDS Settings,
properties, site Settings. (If you only see a general tab, then you have drilled down too far. Back-track from the server NTDS, to the Site NTDS.)
Check the Box which says Enable Universal Group Caching. If you are really stuck then just ask for Help : Enable Universal Group Caching.
In Windows 2000, DNS made a huge jump from DNS in NT4.0 What Windows Server 2003 does is iron a few clunky wrinkles, and add new DNS features which speed up network performance, particularly in large forests.
Related DNS Server topics
|
