Changes to DNS in Windows Server 2003

1
Changes to DNS in Windows Server 2003

• By David Pracht

2
Purpose

• This overview discusses the changes made to
  Domain Name System (DNS) in Windows Server 2003.

3
Overview of the changes

• Corrected issues
• DNS auto configuration in DCpromo
• Application directory partitions
• Stub zones
• Conditional forwarders
• Client DNS group policy
• DNS security extensions
• DNS extension mechanism
• DNS logging enhancements
• Round robin update
• Active Directory domain rename

4
Corrected Issues

• Disjointed Namespace
• The Active Directory name is now forced as the
  domain suffix
• Root Zone Issue
• A root zone must be created manually
• Island Server Issue
• DNS servers register their DsaGuid._msdcs.ame record with each DNS server that is a member
  of the domain

5
DNS Auto Configuration in DCpromo

• Client DNS settings automatically update if one
  of the following scenarios are met
• There is a single network connection
• The preferred and alternate DNS settings match on
  all interfaces
• DNS settings exist only on one connection

6
DNS Auto Configuration Process

• Query current DNS servers specified in network
  settings.
• Update root hints using the largest set found.
• Configure forwarders with the current preferred
  and alternate DNS servers.
• Configure DNS settings with 127.0.0.1 and then
  configure all previous preferred and alternate
  DNS servers.
• If successful, log in Event Viewer.

7
If No Root Hints Found

• If no root hints are found, log the following
  event
• The DNS server could not configure network
  connections of this computer with the DNS server
  running on the computer as the preferred DNS
  server because this computer is connected to the
  networks with different DNS namespaces. You must
  manually configure the local DNS server to
  perform name resolution on one or more of the
  namespaces before you can modify the preferred
  DNS servers (part of the TCP/IP configuration) of
  the network connections.
• If the network connections of this computer are
  not configured with the DNS server running on the
  computer as the preferred DNS server, this
  computer may not be able to dynamically register
  the domain controller locator DNS records in DNS.
  Absence of these records in DNS may prevent other
  Active Directory domain members and domain
  controllers from locating this domain controller.
• Take the following steps
• Ensure that DC locator DNS records enumerated in
  the WinRoot./System32/config/netlogon.dns file
  are registered on the local DNS server.
• If these records are not registered in DNS, add
  a delegation to this server to a parent DNS zone
  for the zone matching the name of the Active
  Directory domain or configure the local DNS
  server with appropriate root hints and
  forwarders, if necessary, and configure the
  network connections of the computer with the DNS
  server running on the computer as the preferred
  DNS server. Note that other computers using other
  DNS servers as the preferred or alternate DNS
  server may not be able to locate this domain
  controller unless the DNS infrastructure is
  properly configured.

8
Application Directory Partitions

• In Microsoft Windows 2000, if the DNS server is
  configured to use Active Directory Integrated
  zones, then the DNS zone data is stored in the
  domain naming context (DNC) partition of Active
  Directory. Every object created in the DNC, which
  includes DNS zones and nodes (DNS names, such as
  microsoft.com), are replicated to all the GCs in
  the domain.
• Conversely, in Windows Server 2003, application
  directory partitions enable storage and
  replication of DNS zones stored in the non-domain
  naming context (NDNC) partition of Active
  Directory. By using application directory
  partitions to store the DNS data, essentially all
  DNS objects are removed from the GC. This is a
  significant reduction in the number of objects
  that are normally stored in the GC.

9
Zone Replication Options

• All DNS servers in the Active Directory forest
• The zone data is replicated to all the DNS
  servers running on domain controllers in all
  domains of the Active Directory forest.
• All DNS servers in a specified Active Directory
  domain
• The zone data is replicated to all DNS servers
  running on domain controllers in the specified
  Active Directory domain. This option is the
  default setting for Active Directory-integrated
  DNS zone replication.
• All domain controllers in the Active Directory
  domain
• All domain controllers specified in the
  replication scope of an application directory
  partition

10
To Create or Delete an application directory
partition

• Open a command prompt.
• Type ntdsutil.
• At the ntdsutil command prompt, type domain
  management.
• At the domain management command prompt, type
  connection.
• At the connection command prompt, type connect to
  server ServerName.
• At the connection command prompt, type quit.
• At the domain management command prompt, do one
  of the following
• To create an application directory partition,
  type create nc ApplicationDirectoryPartition
  DomainController.
• To delete an application directory partition,
  type delete nc ApplicationDirectoryPartition.

11
Stub Zones

• Allow a parent domain to automatically identify
  the DNS servers in a child domain.
• Only contain the SOA, NS, and A records.
• The DNS server is able to query NS directly
  instead of through recursion with root hints.
• Changes to zones are made when the master zone is
  updated or loaded.
• The local list of master zones define physically
  local servers from which to transfer.

12
Stub Zone Viewed From DNS Manager
13
Local List of Master Servers

• Master servers are DNS servers that the stub zone
  will contact to retrieve the necessary resource
  records.
• To force replication with a specific set of
  servers, select the Use the list above as a local
  list of masters check box on the General tab of
  the stub zone properties.
• This option will only be available if the zone is
  stored in Active Directory.
• The list is kept in the registry and not
  replicated in Active Directory.

14
Stub Zone Properties Tab
15
Conditional Forwarders

• Forward DNS queries based on the name in the
  query to specific servers that have closest match
  in the order listed.
• You can disable recursion specifically for each
  forwarder.
• Primarily used for managing name resolution
  between different namespaces in your network.

16
Forwarders Tab in DNS Properties
17
Client DNS Group Policy

• Central location for configuring many of the DNS
  client settings.
• Group policy supersedes any manual or DHCP
  settings.
• DNS suffix search list policy is key to
  transitioning to a NetBIOS-less environment.
• Update Top Level Domain policy enables Windows XP
  clients to use a single label domain name.

18
DNS Group Policies in the Default Domain Policy
19
Policy Descriptions (1 of 2)

• Primary DNS suffix
• Allows you specify a primary DNS suffix for a
  group of computers and prevents users, including
  administrators, from changing it.
• Dynamic update
• Determines if dynamic update is enabled.
• DNS suffix search list
• When this setting is enabled, if a user submits a
  query for a single-label name, such as widgets, a
  local DNS client attaches a suffix, such as
  microsoft.com, resulting in the query
  widgets.microsoft.com before sending the query to
  a DNS server.
• Primary DNS suffix devolution
• Determines whether the DNS client performs
  primary DNS suffix devolution in a name
  resolution process.
• Register PTR records
• Determines whether the registration of PTR
  resource records is enabled for the computers to
  which this policy is applied.
• Registration refresh interval
• Specifies the registration refresh interval of A
  and PTR resource records for computers to which
  this setting is applied. This setting may be
  applied to computers using dynamic update only.

20
Policy Descriptions (2 of 2)

• Replace addresses in conflicts
• Determines whether a DNS client that attempts to
  register its A resource record should overwrite
  an existing A resource record containing
  conflicting IP addresses.
• Register DNS records with connection-specific DNS
  suffix
• Determines if a computer performing dynamic
  registration may register its A and PTR resource
  records with a concatenation of its computer name
  and a connection-specific DNS suffix.
• TTL set in the A and PTR records
• Specifies the value for the Time-To-Live (TTL)
  field in A and PTR resource records registered in
  the computers to which this setting is applied.
• Update security level
• Specifies whether the computers to which this
  setting is applied use secure dynamic update or
  standard dynamic update to register DNS records.
• Update top-level domain zones
• Specifies whether the computers to which this
  policy is applied may send dynamic updates to the
  zones named with a single label name--also known
  as top-level domain zones, for example, com.

21
DNS Security Extensions

• DNSSEC allows RRs and zones to have integrity
  and encryption.
• Zones and round robins (RR) are signed with a
  private key.
• Windows Server 2003 only provides basic support
• Can only act as secondary zone.
• Cannot sign zones or resource records.
• DNS server sends both signed and unsigned records
  in response to a query.
• Windows Server 2003 client does not authenticate
  records it simply passes them to the
  application.

22
New DNSSEC Records

• KEY Public key resource record
• Contains the public key.
• SIG Signature resource record
• Contains the signature.
• NXT Next resource record
• Enables the DNS server to inform the client that
  a particular domain does not exist.

23
DNS Extension Mechanism

• OPT Resource Record
• As described in RFC 2671, EDNS0 uses an OPT
  pseudo-RR that is added to the additional data
  section of either a DNS request or a DNS response
  to indicate the senders ability to handle the
  extended DNS protocols.
• It is called a pseudo-RR because it pertains to a
  particular transport level message and not to any
  actual DNS data.
• OPT RRs are never cached, forwarded, stored in,
  or loaded from zone files.

24
DNS Extension Mechanism

• Allows DNS server to send User Datagram Protocol
  (UDP) packets larger than 512 bytes.
• UDP length is defined in the OPT RR that is part
  of a DNS query.
• ENDS0 support is server-side, not client-side.
• EDNS0 cache Caches support hosts for one month.

25
DNS Logging Enhancements

• Debug Logging Most logging options have not
  changed but the graphical user interface (GUI)
  has been updated to make it much easier to
  configure logging for troubleshooting purposes.
• Enable filtering based on the IP address
  Provides additional filtering of the packets to
  be logged based on IP address.
• Event Logging tab Controls the level of events
  logged.

26
Event and Debug Logging Tabs
27
Round Robin Update

• You can now specify that certain RR types are not
  to be round-robin rotated.
• This is modified using a registry entry called
  DoNotRoundRobinTypes with a string value
  containing a list of RR types.
• The registry is located at HKLM\System\CurrentCont
  rolSet\Services\DNS\Parameters\DoNotRoundRobinType
  s.

28
Active Directory Domain Rename Behavior

• Found in the Rendom.exe tool.
• The DC Locator records associated with the new
  name are pre-published in the authoritative DNS
  servers by the netlogon service running on the
  domain controllers of the domain
• CNAME._msdcs.
• SRV_ldap._tcp.pdc._msdcs.
• SRV_ldap._tcp.gc._msdcs.
• SRV_ldap._tcp.dc._msdcs.

29
Rendom.exe

• Verifies the integrity of the domain. This
  includes the ability to verify the presence or
  absence of DC Locator resource records on
  authoritative DNS servers.

30
Resource Records Affected by a Domain Rename

• CNAME._msdcs.
• There must be one CNAME record associated with
  every domain controller in all authoritative DNS
  servers. This ensures that replication will take
  place from that domain controller.
• SRV_ldap._tcp.pdc._msdcs.
• There must be one SRV record pertaining to the
  PDC on all authoritative DNS servers. This
  ensures the functioning of authentication of
  users and computers.
• SRV_ldap._tcp.gc._msdcs.
• There must be at least one record pertaining to
  at least one GC on all authoritative DNS servers.
  This ensures the functioning of authentication
  of users and computers. For example, one DNS
  server may contain a record of this type
  registered by one GC, while other DNS servers may
  contain the records of this type registered by
  other GCs. It is temporarily sufficient, if
  there is at least one record of this type present
  on all authoritative DNS servers. The other
  records will eventually replicate to all
  authoritative DNS servers.
• SRV_ldap._tcp.dc._msdcs.
• There must be at least one record pertaining to
  at least one domain controller on all
  authoritative DNS servers. This ensures the
  functioning of authentication of users and
  computers. For example, one DNS server may
  contain a record of this type registered by one
  domain controller, while other DNS servers may
  contain the records of this type registered by
  other domain controllers. It is temporarily
  sufficient if there is at least one record of
  this type present on all authoritative DNS
  servers. The other records will eventually
  replicate to all authoritative DNS servers.

31
Acknowledgements

• Microsoft employee
• Jeff Bryant, Beta Technology Support
  Professional, Microsoft Corporation
• Microsoft internal specifications
• Automatic configuration of DNS client during
  installation of a local DNS server by DCpromo,
  Levon Esibov, and others
• Group Policies for DNS Client, Levon Esibov, and
  others
• Domain Based Forwarding, Levon Esibov, and others
• Logging Enhancements, Levon Esibov, and others
• Stub DNS Zones, Levon Esibov, and others
• DNS Update API Enhancements Resolve the Island
  Problem, Levon Esibov, and others
• DNS Zones stored in NDNC, Levon Esibov, and
  others
• Store DNSSEC records, Levon Esibov, and others
• EDNSO, Levon Esibov, and others
• Verification of Resource Records crucial to
  authentication and replication during Domain
  Rename, Kamal Janardhan, and others
• Other publications
• Windows .NET DNS Help and preliminary Windows
  .NET Server Resource Kit DNS chapters, Michael
  Cretzman.
• Windows.NET Server DNS Whitepaper v.61, Steve
  Hahn, BTS