DNS in Windows Server 2003 – What’s New

What’s new in Windows Server 2003 DNS

The big improvements in Microsoft’s DNS came in Windows 2000, however Server 2003 has a surprising number of neat new dynamic DNS features.

New DNS Topics for Windows Server 2003


DNS Stub Zones

Stub Zones are rather like DNS Secondary zones.  The similarity is that both Zones have a read only copy of the server that is authoritative for a child DNS domain.  The difference is that Stub Zones have only 3 records, SOA, NS and A,  whereas Secondary zones have a full set of A records.  Finally, the logic is that you create the Stub Zone only in the Root domain and the Stub Zone then has three records for each child domain. Incidentally, the A (Host) records in the Stub zone are referred to as ‘glue’ records.

The point of Stub Zones is to streamline administration, improve name resolution and possibly, reduce network traffic.  Needless to say, Stub Zones are only needed in large complicated Forests, and are unnecessary if you only have one domain.

When you need to create a Stub Zone, just call for the DNS snap-in.  right-click on the Forward Lookup Zones folder, and follow the wizard.


These DNS records beginning with an underscore are for servers to locate resources, for example _GC, means Global Catalog and  _DC means Domain controller.   While these resource records exist in Windows 2000, in Windows Server 2003 these _MSDCS records have been moved to their own zone.  The benefit of this new arrangement is that you can control the resource replication.  For example, you may want to replicate records to all Domain Controllers in the Forest, or perhaps you want to restrict replication to Domain Controllers in the local domain.

Conditional Forwarding

Conditional DNS forwarding is rather like taking a short cut.  If I am in guybay.com and I am running DNS and I want to contact quickgear.org, then I could go via the root ‘ . ‘ domain, then the org server, then quckgear.org.  Or, provided I knew the server IP address in quickgear.org, I could set up conditional forwarding and so take a shortcut.

Configure Conditional Forwarding from the Forwarders tab of the very DNS server (not the forward lookup zone tab).  More on Conditional Forwarding

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM)Review of Orion NPM v12 v12

SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

Perhaps the NPM’s best feature is the way it suggests solutions to network problems.  Its second best feature is the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.

Download your free trial of SolarWinds Network Performance Monitor.

Debug Logging for DNS

If you are troubleshooting a DNS connectivity problem, for example mail delivery, 404 web pages error, then master Debug Logging.  To start Debug Logging navigate to the DNS snap-in, then the server Icon properties.  A bonus of learning about Debug Logging in DNS, is that you can apply the technique to other services, for instance Exchange 2003.  More on Debug Logging

DNSLint Utility

In the Windows Server 2003 support folder there is a marvellous utility called DNSLint.  What this does is display information about DNS in HTML format.  The important features are switches for Active Directory, MX records.  More on DNSLint

Related Feature – Universal Group Caching

Universal Groups sound great, and they are great if you only use them when Global groups would NOT get the job done.  Also stick to the best practice of only adding Global Groups to Universal Groups.  My point is avoid adding individual accounts to a security Universal Group.

This is the logon problem that Universal Group Caching solves.  A domain controller will not let you logon until it has checked all the Universal groups that you could possible be a member of.  The operating system’s paranoia is that you may be a member of a Universal group in a distant part of the forest that has been used to deny permissions.  So, unless the domain controller is sure it has enumerated all the Universal groups it will not let you logon – just in case there is a security violation.

The answer to the security versus speed dilemma is Universal Group Caching.  If the domain controller can check the cache for Universal Groups then it can logon the user with the correct security tokens without troubling domain controllers in other parts of the forest.

Once you have decided to implementing Universal Group Caching, visit the Active Directory Sites and Services.  Drill down to Site-name, and find NTDS Site Settings,  server, NTDS Settings, properties, site Settings.  (If you only see a general tab, then you have drilled down too far.  Back-track from the server NTDS, to the Site NTDS.)

Check the Box which says Enable Universal Group Caching.  If you are really stuck then just ask for Help : Enable Universal Group Caching.

Summary of New DNS Features

In Windows 2000, DNS made a huge jump from DNS in NT4.0  What Windows Server 2003 does is iron a few clunky wrinkles, and add new DNS features which speed up network performance, particularly in large forests.

If you like this page then please share it with your friends


Related DNS Server topics