Introduction to DNS in Windows Server 2003
This page concentrates on configuring DNS for Active Directory. DNS plays a vital part in planning Active Directory names, and once Server 2003 is up and running, DNS settings are the first place to check when there are slow connection problems.
My goals are to give you configuration tips and provide background information about Active Directory. My greatest wish is that you will be able to make informed decisions for yourself.
- Purpose of DNS
- Integrating DNS and Active Directory
- Importance of Naming and DNS
- Practical configuration of DNS and DCPROMO
- 7 Post installation Active Directory and DNS checks
Sometimes, particularly in troubleshooting, you have to go back to basics. Keep in mind that the primary point of DNS is to map a server’s name to an IP address. Example: LogonServer – 10.209.12.20.
Users need a range of resources, from printers and home directories to global catalog servers and Kerberos authentication for logon. The role of DNS is to respond to users requests for the resource by providing the IP address of the servers.
The extra dimension of DNS with Active Directory is the _SRV records. These service records tell you not only the server’s IP address but also the services that it offers. Here is a kerberos example: _kerberos 88 (Port) LogonServer.TopBanana.com.
User’s perspective – "I want to logon."
DNS with Active Directory – "I will look in the _SRV records for a server which offers Kerberos authentication."
DNS host record – "Here is the IP address of that server you need".
The key reason for integrating DNS and AD is efficiency. This is particularly true where you have lots of replication traffic. Even if you have a fast network, it makes sense for DNS changes to be replicated along side Active Directory changes, rather than having their own separate system.
Window 2000 (and later) DNS systems use IXFR – Incremental Zone Transfer, this means that only changes are replicated, not the whole database. The disgraceful situation in NT 4.0 was that if you added one DNS record then all records were transferred during the update thus creating unwanted extra network traffic.
DNS names and Active Directory names
The confusion arises because both DNS and Microsoft’s Active Directory use the domain word. It may be better if you think of, and refer to, DNS zones and Active Directory domains. It is often a very good idea to have the DNS zone and the Active Directory name the same. For example DNS zone TopBanana.com, Active Directory root domain TopBanana.com. However this arrangement can add to the confusion unless you are clear about the distinction between DNS and Active Directory.
Naming your Active Directory Forest
It is crucial to understand all the implicationsof your naming conventions, especially the relationship between domain name and DNS name. Learn fromthe mistakes of others. One urban myth circulating has it that all the first 10 companies who installed Windows 2000 Active Directory, had to go back to the drawing board and start again. What was their problem? In each case they got their naming strategy wrong. (or they did not have a strategy).
The first question is are you going to use an existing DNS name? If you are using and existing domain name will you use the same name for your first domain. A supplementary question, will the Root domain, be blank or will it be your HQ domain? There are no right or wrong answers to these questions, what I am saying is that once you make your decisions you have detailed plans to ensure it works and that you do not have to rip it all up and start again.
How many domains do you need, I do have a few here – as few as possible. Good reasons for having more than one domain, multi national company, incompatible security needs, different language versions of Windows 2003. Bad reasons for having a new domain, there is a new manager in division, a region want complete control of its IT.
If you do find this planning to much then either make a single domain work for you, or else employ a network architect who is used to this sorting out these naming dilemmas.
I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource. Give this permissions monitor a try – it’s free!
The scenario, you are about to install your first Active Directory domain controller. Remember that when ever you install Windows Server 2003 it begins life as a member server. To install Active Directory go to the Start Menu, then Run, DCPROMO and so create a domain controller. But before you do that check out DNS.
Begin in the System Icon, Computer Name (Tab), Change, More..Primary DNS Suffix of this Computer. Make sure the settings are as per plan.
Double check the Network Connections, Local Area Network, TCP/IP properties,Use the following DNS server address, does this point to itself, or to the correct DNS server. I would fill in both DNS server boxes if you have two DNS servers.
Install DNS through the Add or Remove Programs, Windows Components, Networking Components, Details. DNS. If this is your first server I would run DCPROMO without any more configuration at this stage. My tactic is to let the Wizard add and populate the Forward Lookup Zone.
- Once DCPROMO creates Active Directory records in DNS, then I would create the reverse lookup zone and test it with NSLOOKUP.
- Check the Event Viewer which is now just under the DNS server object. Look up any suspicious error messages in TechNet.
- right-click the DNS server, Properties, Monitor (Tab), Test Now. Should the Recursive query fail investigate the Root Hints. (I have never seen the Simple Query fail.)
- If you are not connected to the internet. You may wish to create a ‘.’ (dot, period, full stop) root domain and point the Root ".) to your domain.
- Many of us believe that you have not proved Active Directory is working properly until you have installed a second domain controller and seen replication of users.
- Set a date to switch to ‘Raise Domain Functional Level’. I used to call this switching to Native Mode, but now it is more complex. When you have no more NT 4.0 BDC, raising the domain level turns on features like Universal Groups, group nesting, RAS Policies as well as extra Exchange functionality.
- Once DCPROMO installs Active Directory, then I would check that at least 4 _mcsdcs records are created, if not I would start and stop the Netlogon service check again. Still no _mcsdcs records, I would have a reboot, take a 10 minute break and look again in DNS.
Experience tells me this either DCPROMO works and there is no problem or else it very stubborn. If still no sign of Active Directory records in DNS, I would run DCPROMO, demote and start again at the beginning. In the case of a test installation, I would change the Computer name and the domain suffix before trying again.
SolarWinds have produced three Active Directory add-ons. These free utilities have been approved by Microsoft, and will help to manage your domain by:
- Seeking and zapping unwanted user accounts.
- Finding inactive computers.
- Bulk-importing new users. Give this AD utility a try, it’s free!