One of the big differences between Windows NT 4.0
and Windows 2000 is the importance of the Domain Naming System (DNS) Server. In
Windows NT 4.0, DNS was something you could do without, as WINS was able to take
care of just about all of your name resolution needs. This isn’t the case
anymore with Windows 2000. The new operating system is highly dependent on DNS
for core domain functions and without a functional DNS Server, you will not even
be able to implement Windows 2000 domains.
One of the big differences between Windows NT 4.0 and Windows 2000 is the importance of the Domain Naming System (DNS) Server. In Windows NT 4.0, DNS was something you could do without, as WINS was able to take care of just about all of your name resolution needs. This isn’t the case anymore with Windows 2000. The new operating system is highly dependent on DNS for core domain functions and without a functional DNS Server, you will not even be able to implement Windows 2000 domains.
In this series of articles we’ll take a look at
some of the intferesting and important aspects of DNS. Make sure that you’re a
DNS expert if you plan to roll-out Windows 2000 on your network, and if you plan
to pass the Windows 2000 exams! In this first article well look at the various
roles a DNS Server can take on your network.
Primary DNS Server
A Primary DNS server contains the only writable copy of
the zone database. A Primary DNS server is also authoritative for the
domain or domains contained in its zone database files. Primary DNS servers are
authoritative because they can respond directly to DNS queries. Keep in mind
that Secondary DNS Server are also authoritative for domains included in their
zone database files. This is why the Primary DNS Server contains the Start of
Authority Record. The Primary is the start, but not the end, of the chain of
Primary DNS Servers share certain characteristics with all
DNS servers, including:
- Zone database information, which is stored in the %systemroor%>system32dns
- The ability to cache resolved queries
- A cache.dns file (or “root hints”
file), which contains host name to IP address mappings for the Internet DNS
Note that all zone files are stored in the %systemroot%system32dns
directory. Zone file names are based on the name of the zone and are appended
with the “.dns” file extension. This is the case when we are working
with standard zone. You will see next week that we can also implement Active
Directory enabled DNS zones. In this case, the zone database information is
stored in the Active Directory, and not in text-based zone database files.
DNS Server Query Caching
All DNS Servers cache the results of the queries they
perform. When a DNS Server issues an iterative query to another DNS Server, it
places the results in the its cache. Cached information is stored in system
memory and is not written to disk (except, perhaps to the page file if physical
memory gets short). Because the cached query results are stored almost solely in
RAM, the information is lost after a server reboot. Therefore, DNS Servers are
most effective when reboots are avoided.
Negative DNS Caching
Be aware that the Windows 2000 DNS Server supports negative
caching. If a lookup fails to produce a result, the DNS Client Service will
remember that the host name returned a negative result, and for the next 5
minutes, by default, the Server will answer negatively from its cache. If the
DNS Client receives a negative result from all DNS Servers it queries, it
will immediately return a negative response, and will not query the DNS Server.
Its important to note that in the first case, the DNS
Client still queries the DNS Server, and the DNS Server will responds negatively
from the negatively negative entry it has in its cache. In the second case, the
DNS Client will not even query the DNS Server, but will immediately return to
the application a negative result for 30 seconds. All this negative caching
helps reduce DNS related traffic for dead sites.
The Root Hints File
The cache.dns file (also known as the Root Hints
file) contains host name and IP address mappings for the root Internet DNS
servers. If a DNS server receives a recursive query for a domain for which it is
not authoritative, it must complete the recursion by issuing iterative queries.
The iterative query process begins with the Root DNS servers if the target
domain in the DNS query is not contained in the DNS server’s cache.
DNS Servers can be Authoritative for Multiple Domains
Something a lot of Windows NT 4.0 MCSEs don’t realize is
that a DNS server can be authoritative for multiple domains. For example, the
swynk.com DNS zone file can contain entries authoritative for swynk.com
and sql.swynk.com. Since it is authoritative for these domains, it does
not need to issue iterative queries to other DNS servers in order to resolve the
Primary DNS Severs Can Also Be Secondaries
A Primary DNS Server can also be a secondary DNS Server. A
Primary DNS server that receives zone transfers from another Primary server acts
in the role of Secondary. Any DNS server can take the role of a Primary
and/or Secondary DNS Server. The only difference between the two is that the
Primary zone file is writeable while the Secondary zone file is read-only.
Secondary DNS Servers
The public Domain Naming System was designed to include at
least two DNS servers authoritative for each zone. In a traditional DNS Server
setup, one of these is a Primary and the other a Secondary. Secondary DNS
Servers provide the following:
- Fault Tolerance
If the Primary DNS Server is somehow disabled, the Secondary can still
authoritatively answer requests for the zone.
- Load Balancing
- Reduction is Bandwidth Requirements
By distributing the query load across multiple
servers, a Primary server is not as impacted by large amounts of DNS query
Secondary Servers can be placed in remote
locations, which reduces the need to traverse a WAN for name resolution.
Zone Fault Tolerance
Like Primary servers, Secondary DNS Servers contain zone
database files. The Secondary recieves a copy via zone transfer. A Primary DNS
server for the zone acts as a Master Server and copies the zone file to
the Secondary during a zone transfer. Secondary DNS servers can answer DNS
client queries and therefore they are also authoritative for the zones they
contain. DNS clients are configured with the IP addresses of Preferred and
Alternate DNS servers for fault tolerance. Name resolution services can continue
without interruption by querying the Secondary server if the Primary should
Zone Load Balancing and Bandwidth Preservation
Load balancing allows you to distribute the DNS query load
among multiple DNS servers. A single DNS server could be overwhelmed by name
query traffic if all client computers were to access a single Primary Server
simultaneously. Clients on different segments can be configured to query local
Secondary servers. This disperses the query load among Primary and Secondary DNS
servers for a zone.
Fault tolerance, load balancing and bandwidth preservation
provide cogent reasons to implement Secondary DNS Servers. If you plan to
maintain your own DNS servers on the Internet, the Domain Registrar will require
you to have at least one Primary and one Secondary DNS server for your second
In next week’s rendition of Back To Basics, we’ll
expand on the DNS Server roles and take a look at some of the other important
roles the DNS Server can take. Specifically, we’ll cover the Caching Only Server
and Forwarders and Slaves. DNS Forwarders and DNS Slave Servers are extremely
important important parts of your security infrastructure. Be sure not to miss
next week’s column!
For More Information
For more information on DNS, check out the
Syngress/Osborne study guide for the Implementing and Administering a Windows
2000 Network Infrastructure (70-216) exam HERE.
For more information on the Windows 2000 DNS Server’s
technical details, check out the Microsoft white paper on the subject HERE.