Guy Recommends
A solution to monitor, manage and archive thousands of
events that are generated by devices across the entire network.
Download FREE
trial
Introduction to DNS in Windows Server 2003
This page concentrates on configuring DNS for Active Directory. DNS
plays a vital part in planning Active Directory names, and once Server 2003
is up and running, DNS settings are the first place to check when there are
slow connection problems.
My goals are to give you configuration tips and provide background
information about Active Directory. My greatest wish is that you will be
able to make informed decisions for yourself.
Topics
Sometimes, particularly in troubleshooting, you have to go back to basics.
Keep in mind that the primary point of DNS is to map a server's
name to an IP address. Example: LogonServer - 10.209.12.20.
Users need a range of resources, from printers and home directories to global
catalog servers and Kerberos authentication for logon.
The role of DNS is to respond to users requests for the resource by providing
the IP address of the servers.
The extra dimension of
DNS with Active Directory is the _SRV records. These service records tell
you not only the server's IP address but also the services that it offers.
Here is a kerberos example: _kerberos 88 (Port) LogonServer.TopBanana.com.
User's perspective - "I want to logon."
DNS with Active Directory - "I will look in the _SRV records for a server
which offers Kerberos authentication."
DNS host record - "Here is the IP address of that server you need".
The
key reason for integrating DNS and AD is efficiency. This is particularly
true where you have lots of replication traffic. Even if you have a fast
network, it makes sense for DNS changes to be replicated along side Active Directory changes, rather than having their own separate system.
Window 2000 (and later) DNS systems use IXFR - Incremental Zone Transfer,
this means that only changes are replicated, not the whole database. The
disgraceful situation in NT 4.0 was that if you added one DNS record then all
records were transferred during the update thus creating unwanted extra network
traffic.
DNS names and Active Directory names.
The confusion arises because both DNS and Microsoft's Active Directory use
the domain word. It may be better if you think of, and refer to, DNS zones
and Active Directory domains. It is often a very good idea to have the DNS
zone and the Active Directory name the same. For example DNS zone
TopBanana.com, Active Directory root domain TopBanana.com. However this
arrangement can add to the confusion unless you are clear about the distinction
between DNS and Active Directory.
 Active Directory Training. As an MCT trainer, I can thoroughly recommend
TrainSignal because they provide practical hands on
training. In particular, I like the way that TrainSignal cover all learning methods, instructor lead, video and of course text material. You can either take one module, for example Active Directory or go for
a combination of modules.
See more about Active Directory training
Naming your Active Directory Forest
It is crucial to understand all the implications
of your naming conventions, especially the relationship between domain name and DNS name. Learn from
the mistakes of others. One urban myth circulating has it that all the
first 10 companies who installed Windows 2000 Active Directory, had to go back
to the drawing board and start again. What was their problem? In
each case they
got their naming strategy wrong. (or they did not have a strategy).
The first question is are you going to use an existing DNS name? If you
are using and existing domain name will you use the same name for your first
domain. A supplementary question, will the Root domain, be blank or will
it be your HQ domain? There are no right or wrong answers to these
questions, what I am saying is that once you make your decisions you have
detailed plans to ensure it works and that you do not have to rip it all up and
start again.
How many domains do you need, I do have a few here - as few as possible.
Good reasons for having more than one domain, multi national company,
incompatible security needs, different language versions of Windows 2003.
Bad reasons for having a new domain, there is a new manager in division, a
region want complete control of its IT.
If you do find this planning to much then either make a single domain work
for you, or else employ a network architect who is used to this sorting out
these naming dilemmas.
The scenario, you are about to install your first Active Directory domain
controller. Remember that when ever you install Windows Server 2003 it
begins life as a member server. To install Active Directory go to the
Start Menu, then Run, DCPROMO and so create a domain controller. But
before you do that check out DNS.
Begin in the System Icon, Computer Name (Tab), Change, More..
Primary DNS Suffix of this Computer. Make sure the settings are as
per plan.
Double check the Network Connections, Local Area Network, TCP/IP properties,
Use the following DNS server address, does this point to itself, or
to the correct DNS server. I would fill in both DNS server boxes if you
have two DNS servers.
Install DNS through the Add or Remove Programs, Windows Components,
Networking Components, Details. DNS. If this is your first server I
would run DCPROMO without any more configuration at this stage. My tactic
is to let the Wizard add and populate the Forward Lookup Zone.
- Once DCPROMO creates Active Directory records in DNS, then I would create the reverse
lookup zone and test it with NSLOOKUP.
- Check the Event Viewer which is now just under the DNS server object.
Look up any suspicious error messages in TechNet.
- Right click the DNS server, Properties, Monitor (Tab), Test Now.
Should the Recursive query fail investigate the Root Hints. (I have never seen
the Simple Query fail.)
- If you are not connected to the internet. You may wish to create a
'.' (dot, period, full stop) root domain and point the Root ".) to your domain.
- Many of us believe that you have not proved Active Directory is working
properly until you have installed a second domain controller and seen
replication of users.
- Set a date to switch to 'Raise Domain Functional Level'. I
used to call this switching to Native Mode, but now it is more complex.
When you have no more NT 4.0 BDC, raising the domain level turns on features
like Universal Groups, group nesting, RAS Policies as well as extra Exchange
functionality.
- Once DCPROMO installs Active Directory, then I would check that at least 4 _mcsdcs
records are created, if not I would start and stop the Netlogon service check
again. Still no _mcsdcs records, I would have a reboot, take a 10 minute
break and look again in DNS.
Experience tells me this either DCPROMO works and there is no problem or else
it very stubborn. If still no sign of Active Directory records in DNS, I
would run DCPROMO, demote and start again at the beginning. In the case of
a test installation, I would change the Computer name and the domain suffix
before trying again.
More about DNS Features
 Is
Your Server Running Slowly? Check with SolarWinds ipMonitor
Analyze your network with
ipMonitor.
Get a free evaluation copy, and monitor the performance of the servers on your
network.
Free Download of SolarWinds ipMonitor
|
The extra features you get in your eBook
include: lots of examples on 'How to ...'. New pages
with deployment recommendations. Detailed instructions and screen shots showing the menus to
configure.
