70-240 in 15 minutes a week: Active Directory and DNS - Part 1 Page 3

By ServerWatch Staff (Send Email)
Posted May 14, 2001


The second main concept you'll need to be familiar with is that of a zone. A zone is basically an area of the DNS namespace that functions as an administrative unit. That is, a group of name servers are responsible (have authority) for the records relating to a certain domain and/or subdomains. I like to refer to zones as areas of responsibility. For example, I could create a zone for the domain win2000trainer.com, and create 2 servers that would be responsible (authoritative) for holding records for the defined zone. I could then create a different zone, to be managed by someone else, for the domain asia.win2000trainer.com, and have 2 other servers (maybe in Asia) that are responsible (authoritative) for the records in that zone. However, a zone can also encompass a number of domains, as long as they fall within a contiguous namespace. For example, win2000trainer.com and asia.win2000trainer.com could be part of the same zone, and have a number of servers responsible for holding records relating to the two domains. If a query was sent to these DNS servers looking for a record ending in win2000trainer.com or asia.win2000trainer.com, these name servers could answer the query, since they are authoritative for the zone, which includes the two domains. The main reason for having multiple zones usually relates to administrative authority, as well as zone transfer traffic. For example, perhaps I have one DNS administrator in Canada and one in Asia. Then, two zones may be warranted. By the same token, if I had only one zone, then all DNS servers (perhaps two in Canada and two in Asia) would all need to participate in zone transfers in order to receive updates. This may cause an unacceptable level of WAN traffic. 

As a general rule, 5 main types of DNS servers exist which you should be familiar with. These are primary, secondary, active-directory integrated, forwarding, and caching-only. Each is described below:

Primary DNS Server - a primary DNS server is the name server that is authoritative for a zone. Essentially what this means is that this is the only server on which updates to the zone database can be made. 

Secondary DNS Server - a secondary DNS server contains a read-only copy of the information stored on the primary name server, and obtains updates via zone transfers. A single secondary is the minimum suggested requirement, but many more can be created for the purposes of load-balancing and fault-tolerance. 

Active Directory Integrated - limited to Windows 2000-based DNS servers, this implementation of DNS stores the zone file as an object within Active Directory instead of a series of files on the hard drive. In this scenario, every domain controller running DNS essentially acts as a primary DNS server, allowing updates to the zone file, and handling zone file synchronization via directory replication. As such, if any DNS server should fail, any other AD-integrated server can continue to make updates. 

Caching-Only - a caching only DNS server is not authoritative for any zone. As such, it simply takes client queries, performs queries on other DNS servers, caches the results, and passes the answers to clients. By default, a caching-only DNS server will forward all queries for information not found in cache to DNS root servers. 

Forwarder - DNS servers can be configured to sent queries that they cannot resolve to other specific DNS servers, referred to as forwarders. The forwarders will then work to resolve the query, instead of the individual DNS servers. This allows the number of requests sent to find hosts (on the Internet for example) to be reduced over time, as the forwarder handles these requests and caches the results, which are subsequently returned to the DNS servers making the request. The can improve both speed and efficiency. 


New Features of Windows 2000 DNS

In the Windows 2000 DNS implementation, a number of changes have been made. The most important include support for service records, dynamic DNS, secure dynamic updates, incremental zone transfer, and Active Directory integration. Each of these is described below:

Service Records - Windows 2000 DNS implementation provides support for an important type of resource record, service records (often referred to a SRV records). Service records allow a client to query DNS looking for a system running a particular service, such as a global catalog (which is designated by a GC record). 

Dynamic DNS - In a traditional DNS implementation, all records needed to be created and updated manually on the DNS server, which could be extremely time consuming. The Windows 2000 implementation supports RFC 2136, usually referred to as Dynamic DNS or DDNS. In this implementation, clients are capable of automatically updating their records, which is especially useful in environments where clients use DHCP for IP address allocation. Windows 2000 is the only current Microsoft client OS that supports dynamic updates. However, it is also possible to configure a Windows 2000 DHCP server such that it updates DNS on behalf of clients, thus allowing non-Windows 2000 client information to be updated in DNS. Dynamic DNS is also especially useful for domain controllers, who can automatically register their service records - otherwise, all of these would need to be created manually.

Secure Dynamic Updates - if a DNS zone is Active Directory integrated, Windows 2000 allows you to use something called secure dynamic updates. Note that dynamic updates can potentially be dangerous because any client could potentially be registered in DNS, since dynamic DNS is only looking for a request, and is not authenticating the request. If secure dynamic updates are enabled, only a user or system that has the appropriate permissions on the associated access control list (ACL) for the zone can add a system to DNS. By default, the Authenticated Users group has these permissions. Client systems will attempt to use an unsecured request first by default, and a secure update if refused.

Incremental Zone Transfer - NT 4 DNS implementations only supported AXFR, or full zone transfers. Under this configuration, every time a primary name server did a zone transfers with a secondary, the entire zone database file was transferred, even if there were only a single change. Windows 2000 DNS supports IXFR, or incremental zone transfers. In this implementation, only the changes are passed during the zone transfer, as opposed to the entire zone database file. 

Active Directory Integration - Windows 2000 still supports the traditional primary / secondary implementation of DNS. In that scenario, changes to the zone file could only be made on the primary, which had the only writable copy. Windows 2000 introduces a new concept here - Active Directory Integrated DNS. In this implementation, the DNS zone file and associated information is stored as objects in Active Directory instead of as files in the DNS directory on the hard disk. This integration basically allows any domain controller running DNS to accept changes to the DNS database, with changes to the zone file replicated as part of Active Directory replication. This also helps make DNS more fault-tolerant. In a traditional DNS environment, if the primary name server were to fail, all dynamic updates to DNS would be denied, since the writable copy would not be available. In AD-integrated DNS, all DNS servers are capable of handling an update. Note that legacy DNS servers can continue to exist - they can be secondaries, using the AD-integrated DNS server as a primary. 

That ends part one of the first article in the Active Directory portion of the series. I apologize for splitting this topic in half, but the alternative was one very long article. Next week I'll continue with a focus on the implementation-related aspects of DNS and Active Directory. This will include a look at the actual installation and configuration of DNS, as well as the installation of Active Directory. I hope you are enjoying the series so far and finding it useful. As always, I look forward to your comments and feedback - I can be contacted here. I also hope that you'll make use of my message board, where I (and others!) take the time to answer your questions as you study. Best of luck with your studies this week.

Dan

http://www.win2000trainer.com

Page 3 of 3


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.