Changes to DNSChanges to DNS in in Windows Server 2003Windows Server 2003

By Lohit AhujaBy Lohit Ahuja

PurposePurpose

This overview discusses the changes made This overview discusses the changes made to Domain Name System (DNS) in to Domain Name System (DNS) in Windows Server 2003.Windows Server 2003.

Overview of the changesOverview of the changes Corrected issuesCorrected issues DNS auto configuration in DCpromoDNS auto configuration in DCpromo Application directory partitionsApplication directory partitions Stub zonesStub zones Conditional forwardersConditional forwarders Client DNS group policyClient DNS group policy DNS security extensionsDNS security extensions DNS extension mechanismDNS extension mechanism DNS logging enhancementsDNS logging enhancements Round robin updateRound robin update Active DirectoryActive Directory®® domain rename domain rename

Corrected Issues Corrected Issues

Disjointed NamespaceDisjointed Namespace– The Active Directory name is now forced as the The Active Directory name is now forced as the

domain suffixdomain suffix

Root Zone Issue Root Zone Issue – A root zone must be created manuallyA root zone must be created manually

Island Server Issue Island Server Issue – DNS servers register their DNS servers register their

DsaGuid._msdcs.<forestname> record with each DNS DsaGuid._msdcs.<forestname> record with each DNS server that is a member of the domain server that is a member of the domain

DNS Auto Configuration in DNS Auto Configuration in DCpromoDCpromo

Client DNS settings automatically update if one Client DNS settings automatically update if one of the following scenarios are met:of the following scenarios are met:

There is a single network connectionThere is a single network connection The preferred and alternate DNS settings The preferred and alternate DNS settings

match on all interfacesmatch on all interfaces DNS settings exist only on one connectionDNS settings exist only on one connection

DNS Auto Configuration Process DNS Auto Configuration Process

1.1. Query current DNS servers specified in Query current DNS servers specified in network settings.network settings.

2.2. Update root hints using the largest set found.Update root hints using the largest set found.3.3. Configure forwarders with the current Configure forwarders with the current

preferred and alternate DNS servers.preferred and alternate DNS servers.4.4. Configure DNS settings with 127.0.0.1 and Configure DNS settings with 127.0.0.1 and

then configure all previous preferred and then configure all previous preferred and alternate DNS servers.alternate DNS servers.

5.5. If successful, log in Event Viewer.If successful, log in Event Viewer.

If No Root Hints FoundIf No Root Hints Found

If no root hints are found, log the following event:If no root hints are found, log the following event:The DNS server could not configure network connections of this computer with the The DNS server could not configure network connections of this computer with the DNS server running on the computer as the preferred DNS server because this DNS server running on the computer as the preferred DNS server because this computer is connected to the networks with different DNS namespaces. You must computer is connected to the networks with different DNS namespaces. You must manually configure the local DNS server to perform name resolution on one or more manually configure the local DNS server to perform name resolution on one or more of the namespaces before you can modify the preferred DNS servers (part of the of the namespaces before you can modify the preferred DNS servers (part of the TCP/IP configuration) of the network connections. TCP/IP configuration) of the network connections. If the network connections of this computer are not configured with the DNS server If the network connections of this computer are not configured with the DNS server running on the computer as the preferred DNS server, this computer may not be able running on the computer as the preferred DNS server, this computer may not be able to dynamically register the domain controller locator DNS records in DNS. Absence of to dynamically register the domain controller locator DNS records in DNS. Absence of these records in DNS may prevent other Active Directory domain members and these records in DNS may prevent other Active Directory domain members and domain controllers from locating this domain controller.domain controllers from locating this domain controller.

Take the following steps:Take the following steps:Ensure that DC locator DNS records enumerated in the %WinRootEnsure that DC locator DNS records enumerated in the %WinRoot%./System32/config/netlogon.dns file are registered on the local DNS server. %./System32/config/netlogon.dns file are registered on the local DNS server. If these records are not registered in DNS, add a delegation to this server to a parent If these records are not registered in DNS, add a delegation to this server to a parent DNS zone for the zone matching the name of the Active Directory domain or DNS zone for the zone matching the name of the Active Directory domain or configure the local DNS server with appropriate root hints and forwarders, if configure the local DNS server with appropriate root hints and forwarders, if necessary, and configure the network connections of the computer with the DNS necessary, and configure the network connections of the computer with the DNS server running on the computer as the preferred DNS server. Note that other server running on the computer as the preferred DNS server. Note that other computers using other DNS servers as the preferred or alternate DNS server may not computers using other DNS servers as the preferred or alternate DNS server may not be able to locate this domain controller unless the DNS infrastructure is properly be able to locate this domain controller unless the DNS infrastructure is properly configured.configured.

Application Directory PartitionsApplication Directory Partitions

In MicrosoftIn Microsoft®® Windows Windows®® 2000, if the DNS server is configured to 2000, if the DNS server is configured to use Active Directory Integrated zones, then the DNS zone data is use Active Directory Integrated zones, then the DNS zone data is stored in the stored in the domain naming contextdomain naming context (DNC) (DNC) partitionpartition of Active of Active Directory. Every object created in the DNC, which includes DNS Directory. Every object created in the DNC, which includes DNS zones and nodes (DNS names, such as microsoft.com), are zones and nodes (DNS names, such as microsoft.com), are replicated to replicated to all the GC’s in the domainall the GC’s in the domain..

Conversely, in Windows Server 2003, application directory partitions Conversely, in Windows Server 2003, application directory partitions enable storage and replication of DNS zones stored in the enable storage and replication of DNS zones stored in the non-non-domain naming context (NDNC)domain naming context (NDNC) partition partition of Active Directory. of Active Directory. By using application directory partitions to store the DNS data, By using application directory partitions to store the DNS data, essentially all essentially all DNS objects are removed from the GCDNS objects are removed from the GC. This is a . This is a significant reduction in the number of objects that are normally significant reduction in the number of objects that are normally stored in the GC.stored in the GC.

Zone Replication OptionsZone Replication Options All DNS servers in the Active Directory forest All DNS servers in the Active Directory forest

– The zone data is replicated to all the DNS servers running on The zone data is replicated to all the DNS servers running on domain controllers in all domains of the Active Directory forest. domain controllers in all domains of the Active Directory forest.

All DNS servers in a specified Active Directory domainAll DNS servers in a specified Active Directory domain– The zone data is replicated to all DNS servers running on The zone data is replicated to all DNS servers running on

domain controllers in the specified Active Directory domain. This domain controllers in the specified Active Directory domain. This option is the default setting for Active Directory-integrated DNS option is the default setting for Active Directory-integrated DNS zone replication. zone replication.

All domain controllers in the Active Directory domain All domain controllers in the Active Directory domain All domain controllers specified in the replication scope All domain controllers specified in the replication scope

of an application directory partition of an application directory partition

To Create or Delete an To Create or Delete an application directory partitionapplication directory partition

Open a command prompt.Open a command prompt. Type Type ntdsutil.ntdsutil. At the ntdsutil command prompt, type At the ntdsutil command prompt, type domain management.domain management. At the domain management command prompt, type At the domain management command prompt, type connection.connection. At the connection command prompt, type At the connection command prompt, type connect to serverconnect to server

ServerName.ServerName. At the connection command prompt, type At the connection command prompt, type quit.quit. At the domain management command prompt, do one of the At the domain management command prompt, do one of the

following: following: To create an application directory partition, type To create an application directory partition, type create nccreate nc

ApplicationDirectoryPartitionApplicationDirectoryPartition DomainController.DomainController. To delete an application directory partition, type To delete an application directory partition, type delete ncdelete nc

ApplicationDirectoryPartition.ApplicationDirectoryPartition.

Stub ZonesStub Zones

Allow a parent domain to automatically identify Allow a parent domain to automatically identify the DNS servers in a child domain.the DNS servers in a child domain.

Only contain the SOA, NS, and A records. Only contain the SOA, NS, and A records. The DNS server is able to query NS directly The DNS server is able to query NS directly

instead of through recursion with root hints.instead of through recursion with root hints. Changes to zones are made when the master Changes to zones are made when the master

zone is updated or loaded.zone is updated or loaded. The local list of master zones define physically The local list of master zones define physically

local servers from which to transfer.local servers from which to transfer.

Stub Zone Viewed From DNS Stub Zone Viewed From DNS ManagerManager

Local List of Master ServersLocal List of Master Servers

Master servers are DNS servers that the stub Master servers are DNS servers that the stub zone will contact to retrieve the necessary zone will contact to retrieve the necessary resource records.resource records.

To force replication with a specific set of servers, To force replication with a specific set of servers, select the select the Use the list above as a local list of Use the list above as a local list of mastersmasters check box on the check box on the GeneralGeneral tab of the tab of the stub zone properties.stub zone properties.

This option will only be available if the zone is This option will only be available if the zone is stored in Active Directory.stored in Active Directory.

The list is kept in the registry and not replicated The list is kept in the registry and not replicated in Active Directory. in Active Directory.

Stub Zone Properties TabStub Zone Properties Tab

Conditional ForwardersConditional Forwarders

Forward DNS queries based on the name Forward DNS queries based on the name in the query to specific servers that have in the query to specific servers that have closest match in the order listed.closest match in the order listed.

You can disable recursion specifically for You can disable recursion specifically for each forwarder.each forwarder.

Primarily used for managing name Primarily used for managing name resolution between different namespaces resolution between different namespaces in your network.in your network.

Forwarders Tab in DNS PropertiesForwarders Tab in DNS Properties

Client DNS Group PolicyClient DNS Group Policy

Central location for configuring many of the DNS Central location for configuring many of the DNS client settings.client settings.

Group policy supersedes any manual or DHCP Group policy supersedes any manual or DHCP settings.settings.

DNS suffix search list policy is key to DNS suffix search list policy is key to transitioning to a NetBIOS-less environment.transitioning to a NetBIOS-less environment.

Update Top Level Domain policy enables Update Top Level Domain policy enables Windows XP clients to use a single label domain Windows XP clients to use a single label domain name.name.

DNS Group Policies in the DNS Group Policies in the Default Domain PolicyDefault Domain Policy

Policy Descriptions (1 of 2)Policy Descriptions (1 of 2) Primary DNS suffixPrimary DNS suffix

Allows you specify a primary DNS suffix for a group of computers and Allows you specify a primary DNS suffix for a group of computers and prevents users, including administrators, from changing it.prevents users, including administrators, from changing it.

Dynamic updateDynamic updateDetermines if dynamic update is enabled. Determines if dynamic update is enabled.

DNS suffix search listDNS suffix search list When this setting is enabled, if a user submits a query for a single-label When this setting is enabled, if a user submits a query for a single-label

name, such as name, such as widgetswidgets, a local DNS client attaches a suffix, such as , a local DNS client attaches a suffix, such as microsoft.commicrosoft.com, resulting in the query , resulting in the query widgets.microsoft.comwidgets.microsoft.com before before sending the query to a DNS server.sending the query to a DNS server.

Primary DNS suffix devolutionPrimary DNS suffix devolution Determines whether the DNS client performs primary DNS suffix devolution Determines whether the DNS client performs primary DNS suffix devolution

in a name resolution process. in a name resolution process. Register PTR recordsRegister PTR records Determines whether the registration of PTR resource records is enabled for Determines whether the registration of PTR resource records is enabled for

the computers to which this policy is applied.the computers to which this policy is applied. Registration refresh intervalRegistration refresh interval Specifies the registration refresh interval of A and PTR resource records for Specifies the registration refresh interval of A and PTR resource records for

computers to which this setting is applied. This setting may be applied to computers to which this setting is applied. This setting may be applied to computers using dynamic update only.computers using dynamic update only.

PolicyPolicy Descriptions (2 of 2) Descriptions (2 of 2)

Replace addresses in conflictsReplace addresses in conflictsDetermines whether a DNS client that attempts to register its A resource Determines whether a DNS client that attempts to register its A resource record should overwrite an existing A resource record containing record should overwrite an existing A resource record containing conflicting IP addresses.conflicting IP addresses.

Register DNS records with connection-specific DNS suffixRegister DNS records with connection-specific DNS suffixDetermines if a computer performing dynamic registration may register its Determines if a computer performing dynamic registration may register its A and PTR resource records with a concatenation of its computer name and A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix. a connection-specific DNS suffix.

TTL set in the A and PTR recordsTTL set in the A and PTR recordsSpecifies the value for the Time-To-Live (TTL) field in A and PTR resource Specifies the value for the Time-To-Live (TTL) field in A and PTR resource records registered in the computers to which this setting is applied.records registered in the computers to which this setting is applied.

Update security levelUpdate security levelSpecifies whether the computers to which this setting is applied use secure Specifies whether the computers to which this setting is applied use secure dynamic update or standard dynamic update to register DNS records.dynamic update or standard dynamic update to register DNS records.

Update top-level domain zonesUpdate top-level domain zonesSpecifies whether the computers to which this policy is applied may send Specifies whether the computers to which this policy is applied may send dynamic updates to the zones named with a single label namedynamic updates to the zones named with a single label name----also known also known as top-level domain zones, for example, as top-level domain zones, for example, comcom..

DNS Security ExtensionsDNS Security Extensions

DNSSEC allows RR’s and zones to have integrity and DNSSEC allows RR’s and zones to have integrity and encryption.encryption.

Zones and round robins (RR) are signed with a private Zones and round robins (RR) are signed with a private key.key.

Windows Server 2003 only provides basic support:Windows Server 2003 only provides basic support:– Can only act as secondary zone.Can only act as secondary zone.– Cannot sign zones or resource records.Cannot sign zones or resource records.

DNS server sends both signed and unsigned records in DNS server sends both signed and unsigned records in response to a query.response to a query.

Windows Server 2003 client does not authenticate Windows Server 2003 client does not authenticate records; it simply passes them to the application.records; it simply passes them to the application.

New DNSSEC RecordsNew DNSSEC Records

KEY: Public key resource recordKEY: Public key resource record– Contains the public key.Contains the public key.

SIG: Signature resource recordSIG: Signature resource record– Contains the signature. Contains the signature.

NXT: Next resource recordNXT: Next resource record– Enables the DNS server to inform the client Enables the DNS server to inform the client

that a particular domain does not exist.that a particular domain does not exist.

DNS Extension MechanismDNS Extension Mechanism OPT Resource RecordOPT Resource Record As described in RFC 2671, EDNS0 uses an OPT As described in RFC 2671, EDNS0 uses an OPT

pseudo-RR that is added to the additional data pseudo-RR that is added to the additional data section of either a DNS request or a DNS section of either a DNS request or a DNS response to indicate the sender’s ability to response to indicate the sender’s ability to handle the extended DNS protocols. handle the extended DNS protocols.

It is called a pseudo-RR because it pertains to a It is called a pseudo-RR because it pertains to a particular transport level message and not to particular transport level message and not to any actual DNS data. any actual DNS data.

OPT RR’s are never cached, forwarded, stored OPT RR’s are never cached, forwarded, stored in, or loaded from zone files.in, or loaded from zone files.

DNS Extension MechanismDNS Extension Mechanism

Allows DNS server to send User Datagram Allows DNS server to send User Datagram Protocol (UDP) packets larger than 512 Protocol (UDP) packets larger than 512 bytes.bytes.

UDP length is defined in the OPT RR that UDP length is defined in the OPT RR that is part of a DNS query.is part of a DNS query.

ENDS0 support is server-side, not client-ENDS0 support is server-side, not client-side.side.

EDNS0 cache: Caches support hosts for EDNS0 cache: Caches support hosts for one month.one month.

DNS Logging EnhancementsDNS Logging Enhancements

Debug Logging: Debug Logging: Most logging options have not Most logging options have not changed but the graphical user interface (GUI) changed but the graphical user interface (GUI) has been updated to make it much easier to has been updated to make it much easier to configure logging for troubleshooting purposes.configure logging for troubleshooting purposes.

Enable filtering based on the IP address: Enable filtering based on the IP address: Provides additional filtering of the packets to be Provides additional filtering of the packets to be logged based on IP address.logged based on IP address.

Event Logging tab: Event Logging tab: Controls the level of events Controls the level of events logged. logged.

Event and Debug Logging Tabs Event and Debug Logging Tabs

Round Robin UpdateRound Robin Update

You can now specify that certain RR types You can now specify that certain RR types are not to be round-robin rotated. are not to be round-robin rotated.

This is modified using a registry entry This is modified using a registry entry called DoNotRoundRobinTypes with a called DoNotRoundRobinTypes with a string value containing a list of RR types.string value containing a list of RR types.

The registry is located at The registry is located at HKLM\System\CurrentControlSet\Services\HKLM\System\CurrentControlSet\Services\DNS\Parameters\DoNotRoundRobinTypes.DNS\Parameters\DoNotRoundRobinTypes.

Active Directory Domain Rename Active Directory Domain Rename BehaviorBehavior

Found in the Rendom.exe tool.Found in the Rendom.exe tool. The DC Locator records associated with the new The DC Locator records associated with the new

name are pre-published in the authoritative DNS name are pre-published in the authoritative DNS servers by the netlogon service running on the servers by the netlogon service running on the domain controllers of the domain:domain controllers of the domain:– CNAMECNAME<DsaGuid>._msdcs.<<DsaGuid>._msdcs.<DnsForestNameDnsForestName>>– SRV_ldap._tcp.SRV_ldap._tcp.pdcpdc._msdcs.<._msdcs.<DnsDomainNameDnsDomainName>>– SRV_ldap._tcp.SRV_ldap._tcp.gcgc._msdcs.<._msdcs.<DnsForestNameDnsForestName>>– SRV_ldap._tcp.SRV_ldap._tcp.dcdc._msdcs.<._msdcs.<DnsDomainNameDnsDomainName>>

Rendom.exeRendom.exe

Verifies the integrity of the domain. This Verifies the integrity of the domain. This includes the ability to verify the presence includes the ability to verify the presence or absence of DC Locator resource records or absence of DC Locator resource records on authoritative DNS servers.on authoritative DNS servers.

Resource Records Affected by a Resource Records Affected by a Domain RenameDomain Rename

CNAME<DsaGuid>._msdcs.<DnsForestName>CNAME<DsaGuid>._msdcs.<DnsForestName>There must be one CNAME record associated with every domain controller in all There must be one CNAME record associated with every domain controller in all authoritative DNS servers. This ensures that replication will take place from that authoritative DNS servers. This ensures that replication will take place from that domain controller.domain controller.

SRV_ldap._tcp.SRV_ldap._tcp.pdcpdc._msdcs.<DnsDomainName>._msdcs.<DnsDomainName>There must be one SRV record pertaining to the PDC on all authoritative DNS There must be one SRV record pertaining to the PDC on all authoritative DNS servers. This ensures the functioning of authentication of users and computers.servers. This ensures the functioning of authentication of users and computers.

SRV_ldap._tcp.SRV_ldap._tcp.gcgc._msdcs.<DnsForestName>._msdcs.<DnsForestName>There must be at least one record pertaining to at least one GC on all authoritative There must be at least one record pertaining to at least one GC on all authoritative DNS servers. This ensures the functioning of authentication of users and DNS servers. This ensures the functioning of authentication of users and computers. For example, one DNS server may contain a record of this type computers. For example, one DNS server may contain a record of this type registered by one GC, while other DNS servers may contain the records of this type registered by one GC, while other DNS servers may contain the records of this type registered by other GCs. It is temporarily sufficient, if there is at least one record of registered by other GCs. It is temporarily sufficient, if there is at least one record of this type present on all authoritative DNS servers. The other records will eventually this type present on all authoritative DNS servers. The other records will eventually replicate to all authoritative DNS servers.replicate to all authoritative DNS servers.

SRV_ldap._tcp.SRV_ldap._tcp.dcdc._msdcs.<DnsDomainName>._msdcs.<DnsDomainName>There must be at least one record pertaining to at least one domain controller on all There must be at least one record pertaining to at least one domain controller on all authoritative DNS servers. This ensures the functioning of authentication of users authoritative DNS servers. This ensures the functioning of authentication of users and computers. For example, one DNS server may contain a record of this type and computers. For example, one DNS server may contain a record of this type registered by one domain controller, while other DNS servers may contain the records registered by one domain controller, while other DNS servers may contain the records of this type registered by other domain controllers. It is temporarily sufficient if there of this type registered by other domain controllers. It is temporarily sufficient if there is at least one record of this type present on all authoritative DNS servers. The other is at least one record of this type present on all authoritative DNS servers. The other records will eventually replicate to all authoritative DNS servers.records will eventually replicate to all authoritative DNS servers.

AcknowledgementsAcknowledgements Microsoft employeeMicrosoft employee Jeff Bryant, Beta Technology Support Professional, Microsoft CorporationJeff Bryant, Beta Technology Support Professional, Microsoft Corporation

Microsoft internal specificationsMicrosoft internal specifications Automatic configuration of DNS client during installation of a local DNS server by DCpromoAutomatic configuration of DNS client during installation of a local DNS server by DCpromo, ,

Levon Esibov, and othersLevon Esibov, and others Group Policies for DNS ClientGroup Policies for DNS Client, Levon Esibov, and others, Levon Esibov, and others Domain Based ForwardingDomain Based Forwarding, Levon Esibov, and others, Levon Esibov, and others Logging EnhancementsLogging Enhancements, Levon Esibov, and others, Levon Esibov, and others Stub DNS ZonesStub DNS Zones, Levon Esibov, and others, Levon Esibov, and others DNS Update API Enhancements – Resolve the Island ProblemDNS Update API Enhancements – Resolve the Island Problem, Levon Esibov, and others, Levon Esibov, and others DNS Zones stored in NDNCDNS Zones stored in NDNC, Levon Esibov, and others, Levon Esibov, and others Store DNSSEC recordsStore DNSSEC records, Levon Esibov, and others, Levon Esibov, and others EDNSOEDNSO, Levon Esibov, and others, Levon Esibov, and others Verification of Resource Records crucial to authentication and replication during Domain RenameVerification of Resource Records crucial to authentication and replication during Domain Rename, ,

Kamal Janardhan, and othersKamal Janardhan, and others

Other publicationsOther publications Windows .NET DNS Help and preliminary Windows .NET Server Resource Kit DNS chapters, Windows .NET DNS Help and preliminary Windows .NET Server Resource Kit DNS chapters,

Michael Cretzman.Michael Cretzman. Windows.NET Server DNS Whitepaper v.61, Steve Hahn, BTSWindows.NET Server DNS Whitepaper v.61, Steve Hahn, BTS