- 1 SUSE Linux Enterprise Server for SAP Comes to IBM Power
- 2 VMware Hints at Potential Evolution for Container Strategy
- 3 Windows Server 2003 Meets the Zombie Apocalypse
- 4 Tips and Considerations When Creating Virtual Machines in Azure
- 5 Securing Containers without the Need for Virtualization Technology
Back To Basics: Windows 2000 DNS Server Roles - Part 1
One of the big differences between Windows NT 4.0 and Windows 2000 is the importance of the Domain Naming System (DNS) Server. In Windows NT 4.0, DNS was something you could do without, as WINS was able to take care of just about all of your name resolution needs. This isn't the case anymore with Windows 2000. The new operating system is highly dependent on DNS for core domain functions and without a functional DNS Server, you will not even be able to implement Windows 2000 domains.One of the big differences between Windows NT 4.0 and Windows 2000 is the importance of the Domain Naming System (DNS) Server. In Windows NT 4.0, DNS was something you could do without, as WINS was able to take care of just about all of your name resolution needs. This isn't the case anymore with Windows 2000. The new operating system is highly dependent on DNS for core domain functions and without a functional DNS Server, you will not even be able to implement Windows 2000 domains.
In this series of articles we'll take a look at some of the intferesting and important aspects of DNS. Make sure that you're a DNS expert if you plan to roll-out Windows 2000 on your network, and if you plan to pass the Windows 2000 exams! In this first article well look at the various roles a DNS Server can take on your network.
Primary DNS Server
A Primary DNS server contains the only writable copy of the zone database. A Primary DNS server is also authoritative for the domain or domains contained in its zone database files. Primary DNS servers are authoritative because they can respond directly to DNS queries. Keep in mind that Secondary DNS Server are also authoritative for domains included in their zone database files. This is why the Primary DNS Server contains the Start of Authority Record. The Primary is the start, but not the end, of the chain of authority.
Primary DNS Servers share certain characteristics with all DNS servers, including:
- Zone database information, which is stored in the %systemroor%>\system32\dns
- The ability to cache resolved queries
- A cache.dns file (or "root hints" file), which contains host name to IP address mappings for the Internet DNS root servers
Note that all zone files are stored in the %systemroot%\system32\dns directory. Zone file names are based on the name of the zone and are appended with the ".dns" file extension. This is the case when we are working with standard zone. You will see next week that we can also implement Active Directory enabled DNS zones. In this case, the zone database information is stored in the Active Directory, and not in text-based zone database files.
DNS Server Query Caching
All DNS Servers cache the results of the queries they perform. When a DNS Server issues an iterative query to another DNS Server, it places the results in the its cache. Cached information is stored in system memory and is not written to disk (except, perhaps to the page file if physical memory gets short). Because the cached query results are stored almost solely in RAM, the information is lost after a server reboot. Therefore, DNS Servers are most effective when reboots are avoided.
Negative DNS Caching
Be aware that the Windows 2000 DNS Server supports negative caching. If a lookup fails to produce a result, the DNS Client Service will remember that the host name returned a negative result, and for the next 5 minutes, by default, the Server will answer negatively from its cache. If the DNS Client receives a negative result from all DNS Servers it queries, it will immediately return a negative response, and will not query the DNS Server.
Its important to note that in the first case, the DNS Client still queries the DNS Server, and the DNS Server will responds negatively from the negatively negative entry it has in its cache. In the second case, the DNS Client will not even query the DNS Server, but will immediately return to the application a negative result for 30 seconds. All this negative caching helps reduce DNS related traffic for dead sites.
The Root Hints File
The cache.dns file (also known as the Root Hints file) contains host name and IP address mappings for the root Internet DNS servers. If a DNS server receives a recursive query for a domain for which it is not authoritative, it must complete the recursion by issuing iterative queries. The iterative query process begins with the Root DNS servers if the target domain in the DNS query is not contained in the DNS server's cache.
DNS Servers can be Authoritative for Multiple Domains
Something a lot of Windows NT 4.0 MCSEs don't realize is that a DNS server can be authoritative for multiple domains. For example, the swynk.com DNS zone file can contain entries authoritative for swynk.com and sql.swynk.com. Since it is authoritative for these domains, it does not need to issue iterative queries to other DNS servers in order to resolve the request.
Primary DNS Severs Can Also Be Secondaries
A Primary DNS Server can also be a secondary DNS Server. A Primary DNS server that receives zone transfers from another Primary server acts in the role of Secondary. Any DNS server can take the role of a Primary and/or Secondary DNS Server. The only difference between the two is that the Primary zone file is writeable while the Secondary zone file is read-only.
Secondary DNS Servers
The public Domain Naming System was designed to include at least two DNS servers authoritative for each zone. In a traditional DNS Server setup, one of these is a Primary and the other a Secondary. Secondary DNS Servers provide the following:
- Fault Tolerance
If the Primary DNS Server is somehow disabled, the Secondary can still authoritatively answer requests for the zone.
- Load Balancing
By distributing the query load across multiple
servers, a Primary server is not as impacted by large amounts of DNS query
- Reduction is Bandwidth Requirements
Secondary Servers can be placed in remote
locations, which reduces the need to traverse a WAN for name resolution.
Zone Fault Tolerance
Like Primary servers, Secondary DNS Servers contain zone database files. The Secondary recieves a copy via zone transfer. A Primary DNS server for the zone acts as a Master Server and copies the zone file to the Secondary during a zone transfer. Secondary DNS servers can answer DNS client queries and therefore they are also authoritative for the zones they contain. DNS clients are configured with the IP addresses of Preferred and Alternate DNS servers for fault tolerance. Name resolution services can continue without interruption by querying the Secondary server if the Primary should become disabled.
Zone Load Balancing and Bandwidth Preservation
Load balancing allows you to distribute the DNS query load among multiple DNS servers. A single DNS server could be overwhelmed by name query traffic if all client computers were to access a single Primary Server simultaneously. Clients on different segments can be configured to query local Secondary servers. This disperses the query load among Primary and Secondary DNS servers for a zone.
Fault tolerance, load balancing and bandwidth preservation provide cogent reasons to implement Secondary DNS Servers. If you plan to maintain your own DNS servers on the Internet, the Domain Registrar will require you to have at least one Primary and one Secondary DNS server for your second level domain.
In next week's rendition of Back To Basics, we'll expand on the DNS Server roles and take a look at some of the other important roles the DNS Server can take. Specifically, we'll cover the Caching Only Server and Forwarders and Slaves. DNS Forwarders and DNS Slave Servers are extremely important important parts of your security infrastructure. Be sure not to miss next week's column!
For More Information
For more information on DNS, check out the Syngress/Osborne study guide for the Implementing and Administering a Windows 2000 Network Infrastructure (70-216) exam HERE.
For more information on the Windows 2000 DNS Server's technical details, check out the Microsoft white paper on the subject HERE.