Changes to DNSChanges to DNS in in Windows Server 2003Windows Server 2003

By David PrachtBy David Pracht

PurposePurpose

This overview discusses the changes This overview discusses the changes made to Domain Name System (DNS) made to Domain Name System (DNS) in Windows Server 2003.in Windows Server 2003.

Overview of the changesOverview of the changes Corrected issuesCorrected issues DNS auto configuration in DCpromoDNS auto configuration in DCpromo Application directory partitionsApplication directory partitions Stub zonesStub zones Conditional forwardersConditional forwarders Client DNS group policyClient DNS group policy DNS security extensionsDNS security extensions DNS extension mechanismDNS extension mechanism DNS logging enhancementsDNS logging enhancements Round robin updateRound robin update Active DirectoryActive Directory®® domain rename domain rename

Corrected Issues Corrected Issues

Disjointed NamespaceDisjointed Namespace– The Active Directory name is now forced as the The Active Directory name is now forced as the

domain suffixdomain suffix Root Zone Issue Root Zone Issue

– A root zone must be created manuallyA root zone must be created manually Island Server Issue Island Server Issue

– DNS servers register their DNS servers register their DsaGuid._msdcs.<forestname> record with DsaGuid._msdcs.<forestname> record with each DNS server that is a member of the each DNS server that is a member of the domain domain

DNS Auto Configuration in DNS Auto Configuration in DCpromoDCpromo

Client DNS settings automatically update Client DNS settings automatically update if one of the following scenarios are if one of the following scenarios are met:met:

There is a single network connectionThere is a single network connection The preferred and alternate DNS settings The preferred and alternate DNS settings

match on all interfacesmatch on all interfaces DNS settings exist only on one DNS settings exist only on one

connectionconnection

DNS Auto Configuration DNS Auto Configuration Process Process

1.1. Query current DNS servers specified in Query current DNS servers specified in network settings.network settings.

2.2. Update root hints using the largest set Update root hints using the largest set found.found.

3.3. Configure forwarders with the current Configure forwarders with the current preferred and alternate DNS servers.preferred and alternate DNS servers.

4.4. Configure DNS settings with 127.0.0.1 and Configure DNS settings with 127.0.0.1 and then configure all previous preferred and then configure all previous preferred and alternate DNS servers.alternate DNS servers.

5.5. If successful, log in Event Viewer.If successful, log in Event Viewer.

If No Root Hints FoundIf No Root Hints Found

If no root hints are found, log the following event:If no root hints are found, log the following event:The DNS server could not configure network connections of this computer with the The DNS server could not configure network connections of this computer with the DNS server running on the computer as the preferred DNS server because this DNS server running on the computer as the preferred DNS server because this computer is connected to the networks with different DNS namespaces. You must computer is connected to the networks with different DNS namespaces. You must manually configure the local DNS server to perform name resolution on one or manually configure the local DNS server to perform name resolution on one or more of the namespaces before you can modify the preferred DNS servers (part of more of the namespaces before you can modify the preferred DNS servers (part of the TCP/IP configuration) of the network connections. the TCP/IP configuration) of the network connections. If the network connections of this computer are not configured with the DNS server If the network connections of this computer are not configured with the DNS server running on the computer as the preferred DNS server, this computer may not be running on the computer as the preferred DNS server, this computer may not be able to dynamically register the domain controller locator DNS records in DNS. able to dynamically register the domain controller locator DNS records in DNS. Absence of these records in DNS may prevent other Active Directory domain Absence of these records in DNS may prevent other Active Directory domain members and domain controllers from locating this domain controller.members and domain controllers from locating this domain controller.

Take the following steps:Take the following steps:Ensure that DC locator DNS records enumerated in the Ensure that DC locator DNS records enumerated in the %WinRoot%./System32/config/netlogon.dns file are registered on the local DNS %WinRoot%./System32/config/netlogon.dns file are registered on the local DNS server. server. If these records are not registered in DNS, add a delegation to this server to a If these records are not registered in DNS, add a delegation to this server to a parent DNS zone for the zone matching the name of the Active Directory domain parent DNS zone for the zone matching the name of the Active Directory domain or configure the local DNS server with appropriate root hints and forwarders, if or configure the local DNS server with appropriate root hints and forwarders, if necessary, and configure the network connections of the computer with the DNS necessary, and configure the network connections of the computer with the DNS server running on the computer as the preferred DNS server. Note that other server running on the computer as the preferred DNS server. Note that other computers using other DNS servers as the preferred or alternate DNS server may computers using other DNS servers as the preferred or alternate DNS server may not be able to locate this domain controller unless the DNS infrastructure is not be able to locate this domain controller unless the DNS infrastructure is properly configured.properly configured.

Application Directory PartitionsApplication Directory Partitions

In MicrosoftIn Microsoft®® Windows Windows®® 2000, if the DNS server is 2000, if the DNS server is configured to use Active Directory Integrated zones, then configured to use Active Directory Integrated zones, then the DNS zone data is stored in the the DNS zone data is stored in the domain naming domain naming contextcontext (DNC) (DNC) partitionpartition of Active Directory. Every object of Active Directory. Every object created in the DNC, which includes DNS zones and nodes created in the DNC, which includes DNS zones and nodes (DNS names, such as microsoft.com), are replicated to (DNS names, such as microsoft.com), are replicated to all all the GC’s in the domainthe GC’s in the domain..

Conversely, in Windows Server 2003, application directory Conversely, in Windows Server 2003, application directory partitions enable storage and replication of DNS zones partitions enable storage and replication of DNS zones stored in the stored in the non-domain naming context (NDNC)non-domain naming context (NDNC) partitionpartition of Active Directory. By using application directory of Active Directory. By using application directory partitions to store the DNS data, essentially all partitions to store the DNS data, essentially all DNS DNS objects are removed from the GCobjects are removed from the GC. This is a significant . This is a significant reduction in the number of objects that are normally stored reduction in the number of objects that are normally stored in the GC.in the GC.

Zone Replication OptionsZone Replication Options All DNS servers in the Active Directory forest All DNS servers in the Active Directory forest

– The zone data is replicated to all the DNS servers The zone data is replicated to all the DNS servers running on domain controllers in all domains of the running on domain controllers in all domains of the Active Directory forest. Active Directory forest.

All DNS servers in a specified Active Directory All DNS servers in a specified Active Directory domaindomain– The zone data is replicated to all DNS servers running on The zone data is replicated to all DNS servers running on

domain controllers in the specified Active Directory domain controllers in the specified Active Directory domain. This option is the default setting for Active domain. This option is the default setting for Active Directory-integrated DNS zone replication. Directory-integrated DNS zone replication.

All domain controllers in the Active Directory All domain controllers in the Active Directory domain domain

All domain controllers specified in the replication All domain controllers specified in the replication scope of an application directory partition scope of an application directory partition

To Create or Delete an To Create or Delete an application directory application directory

partitionpartition1.1. Open a command prompt.Open a command prompt.2.2. Type Type ntdsutil.ntdsutil.3.3. At the ntdsutil command prompt, type At the ntdsutil command prompt, type domain domain

management.management.4.4. At the domain management command prompt, type At the domain management command prompt, type

connection.connection.5.5. At the connection command prompt, type At the connection command prompt, type connect to connect to

serverserver ServerName.ServerName.6.6. At the connection command prompt, type At the connection command prompt, type quit.quit.7.7. At the domain management command prompt, do one of At the domain management command prompt, do one of

the following: the following: To create an application directory partition, type To create an application directory partition, type create nccreate nc

ApplicationDirectoryPartitionApplicationDirectoryPartition DomainController.DomainController. To delete an application directory partition, type To delete an application directory partition, type delete ncdelete nc

ApplicationDirectoryPartition.ApplicationDirectoryPartition.

Stub ZonesStub Zones

Allow a parent domain to automatically Allow a parent domain to automatically identify the DNS servers in a child domain.identify the DNS servers in a child domain.

Only contain the SOA, NS, and A records. Only contain the SOA, NS, and A records. The DNS server is able to query NS directly The DNS server is able to query NS directly

instead of through recursion with root hints.instead of through recursion with root hints. Changes to zones are made when the Changes to zones are made when the

master zone is updated or loaded.master zone is updated or loaded. The local list of master zones define The local list of master zones define

physically local servers from which to physically local servers from which to transfer.transfer.

Stub Zone Viewed From Stub Zone Viewed From DNS ManagerDNS Manager

Local List of Master ServersLocal List of Master Servers

Master servers are DNS servers that the Master servers are DNS servers that the stub zone will contact to retrieve the stub zone will contact to retrieve the necessary resource records.necessary resource records.

To force replication with a specific set of To force replication with a specific set of servers, select the servers, select the Use the list above as Use the list above as a local list of mastersa local list of masters check box on the check box on the GeneralGeneral tab of the stub zone properties. tab of the stub zone properties.

This option will only be available if the This option will only be available if the zone is stored in Active Directory.zone is stored in Active Directory.

The list is kept in the registry and not The list is kept in the registry and not replicated in Active Directory. replicated in Active Directory.

Stub Zone Properties TabStub Zone Properties Tab

Conditional ForwardersConditional Forwarders

Forward DNS queries based on the Forward DNS queries based on the name in the query to specific servers name in the query to specific servers that have closest match in the order that have closest match in the order listed.listed.

You can disable recursion specifically You can disable recursion specifically for each forwarder.for each forwarder.

Primarily used for managing name Primarily used for managing name resolution between different resolution between different namespaces in your network.namespaces in your network.

Forwarders Tab in DNS Forwarders Tab in DNS PropertiesProperties

Client DNS Group PolicyClient DNS Group Policy

Central location for configuring many of Central location for configuring many of the DNS client settings.the DNS client settings.

Group policy supersedes any manual or Group policy supersedes any manual or DHCP settings.DHCP settings.

DNS suffix search list policy is key to DNS suffix search list policy is key to transitioning to a NetBIOS-less transitioning to a NetBIOS-less environment.environment.

Update Top Level Domain policy enables Update Top Level Domain policy enables Windows XP clients to use a single label Windows XP clients to use a single label domain name.domain name.

DNS Group Policies in the DNS Group Policies in the Default Domain PolicyDefault Domain Policy

Policy Descriptions (1 of 2)Policy Descriptions (1 of 2) Primary DNS suffixPrimary DNS suffix

Allows you specify a primary DNS suffix for a group of computers and Allows you specify a primary DNS suffix for a group of computers and prevents users, including administrators, from changing it.prevents users, including administrators, from changing it.

Dynamic updateDynamic updateDetermines if dynamic update is enabled. Determines if dynamic update is enabled.

DNS suffix search listDNS suffix search list When this setting is enabled, if a user submits a query for a single-When this setting is enabled, if a user submits a query for a single-

label name, such as label name, such as widgetswidgets, a local DNS client attaches a suffix, such , a local DNS client attaches a suffix, such as as microsoft.commicrosoft.com, resulting in the query , resulting in the query widgets.microsoft.comwidgets.microsoft.com before sending the query to a DNS server.before sending the query to a DNS server.

Primary DNS suffix devolutionPrimary DNS suffix devolution Determines whether the DNS client performs primary DNS suffix Determines whether the DNS client performs primary DNS suffix

devolution in a name resolution process. devolution in a name resolution process. Register PTR recordsRegister PTR records Determines whether the registration of PTR resource records is Determines whether the registration of PTR resource records is

enabled for the computers to which this policy is applied.enabled for the computers to which this policy is applied. Registration refresh intervalRegistration refresh interval Specifies the registration refresh interval of A and PTR resource Specifies the registration refresh interval of A and PTR resource

records for computers to which this setting is applied. This setting may records for computers to which this setting is applied. This setting may be applied to computers using dynamic update only.be applied to computers using dynamic update only.

PolicyPolicy Descriptions (2 of 2) Descriptions (2 of 2)

Replace addresses in conflictsReplace addresses in conflictsDetermines whether a DNS client that attempts to register its A Determines whether a DNS client that attempts to register its A resource record should overwrite an existing A resource record resource record should overwrite an existing A resource record containing conflicting IP addresses.containing conflicting IP addresses.

Register DNS records with connection-specific DNS suffixRegister DNS records with connection-specific DNS suffixDetermines if a computer performing dynamic registration may Determines if a computer performing dynamic registration may register its A and PTR resource records with a concatenation of its register its A and PTR resource records with a concatenation of its computer name and a connection-specific DNS suffix. computer name and a connection-specific DNS suffix.

TTL set in the A and PTR recordsTTL set in the A and PTR recordsSpecifies the value for the Time-To-Live (TTL) field in A and PTR Specifies the value for the Time-To-Live (TTL) field in A and PTR resource records registered in the computers to which this setting is resource records registered in the computers to which this setting is applied.applied.

Update security levelUpdate security levelSpecifies whether the computers to which this setting is applied use Specifies whether the computers to which this setting is applied use secure dynamic update or standard dynamic update to register DNS secure dynamic update or standard dynamic update to register DNS records.records.

Update top-level domain zonesUpdate top-level domain zonesSpecifies whether the computers to which this policy is applied may Specifies whether the computers to which this policy is applied may send dynamic updates to the zones named with a single label send dynamic updates to the zones named with a single label namename----also known as top-level domain zones, for example, also known as top-level domain zones, for example, comcom..

DNS Security ExtensionsDNS Security Extensions

DNSSEC allows RR’s and zones to have integrity DNSSEC allows RR’s and zones to have integrity and encryption.and encryption.

Zones and round robins (RR) are signed with a Zones and round robins (RR) are signed with a private key.private key.

Windows Server 2003 only provides basic support:Windows Server 2003 only provides basic support:– Can only act as secondary zone.Can only act as secondary zone.– Cannot sign zones or resource records.Cannot sign zones or resource records.

DNS server sends both signed and unsigned DNS server sends both signed and unsigned records in response to a query.records in response to a query.

Windows Server 2003 client does not authenticate Windows Server 2003 client does not authenticate records; it simply passes them to the application.records; it simply passes them to the application.

New DNSSEC RecordsNew DNSSEC Records

KEY: Public key resource recordKEY: Public key resource record– Contains the public key.Contains the public key.

SIG: Signature resource recordSIG: Signature resource record– Contains the signature. Contains the signature.

NXT: Next resource recordNXT: Next resource record– Enables the DNS server to inform the Enables the DNS server to inform the

client that a particular domain does not client that a particular domain does not exist.exist.

DNS Extension MechanismDNS Extension Mechanism OPT Resource RecordOPT Resource Record As described in RFC 2671, EDNS0 uses an As described in RFC 2671, EDNS0 uses an

OPT pseudo-RR that is added to the OPT pseudo-RR that is added to the additional data section of either a DNS additional data section of either a DNS request or a DNS response to indicate the request or a DNS response to indicate the sender’s ability to handle the extended sender’s ability to handle the extended DNS protocols. DNS protocols.

It is called a pseudo-RR because it pertains It is called a pseudo-RR because it pertains to a particular transport level message to a particular transport level message and not to any actual DNS data. and not to any actual DNS data.

OPT RR’s are never cached, forwarded, OPT RR’s are never cached, forwarded, stored in, or loaded from zone files.stored in, or loaded from zone files.

DNS Extension MechanismDNS Extension Mechanism

Allows DNS server to send User Allows DNS server to send User Datagram Protocol (UDP) packets Datagram Protocol (UDP) packets larger than 512 bytes.larger than 512 bytes.

UDP length is defined in the OPT RR UDP length is defined in the OPT RR that is part of a DNS query.that is part of a DNS query.

ENDS0 support is server-side, not ENDS0 support is server-side, not client-side.client-side.

EDNS0 cache: Caches support hosts EDNS0 cache: Caches support hosts for one month.for one month.

DNS Logging EnhancementsDNS Logging Enhancements

Debug Logging: Debug Logging: Most logging options Most logging options have not changed but the graphical user have not changed but the graphical user interface (GUI) has been updated to make it interface (GUI) has been updated to make it much easier to configure logging for much easier to configure logging for troubleshooting purposes.troubleshooting purposes.

Enable filtering based on the IP Enable filtering based on the IP address: address: Provides additional filtering of the Provides additional filtering of the packets to be logged based on IP address.packets to be logged based on IP address.

Event Logging tab: Event Logging tab: Controls the level of Controls the level of events logged. events logged.

Event and Debug Logging Event and Debug Logging Tabs Tabs

Round Robin UpdateRound Robin Update

You can now specify that certain RR types You can now specify that certain RR types are not to be round-robin rotated. are not to be round-robin rotated.

This is modified using a registry entry This is modified using a registry entry called DoNotRoundRobinTypes with a called DoNotRoundRobinTypes with a string value containing a list of RR types.string value containing a list of RR types.

The registry is located at HKLM\System\The registry is located at HKLM\System\CurrentControlSet\Services\DNS\CurrentControlSet\Services\DNS\Parameters\DoNotRoundRobinTypes.Parameters\DoNotRoundRobinTypes.

Active Directory Domain Active Directory Domain Rename BehaviorRename Behavior

Found in the Rendom.exe tool.Found in the Rendom.exe tool. The DC Locator records associated with the The DC Locator records associated with the

new name are pre-published in the new name are pre-published in the authoritative DNS servers by the netlogon authoritative DNS servers by the netlogon service running on the domain controllers service running on the domain controllers of the domain:of the domain:– CNAMECNAME<DsaGuid>._msdcs.<<DsaGuid>._msdcs.<DnsForestNameDnsForestName>>– SRV_ldap._tcp.SRV_ldap._tcp.pdcpdc._msdcs.<._msdcs.<DnsDomainNameDnsDomainName>>– SRV_ldap._tcp.SRV_ldap._tcp.gcgc._msdcs.<._msdcs.<DnsForestNameDnsForestName>>– SRV_ldap._tcp.SRV_ldap._tcp.dcdc._msdcs.<._msdcs.<DnsDomainNameDnsDomainName>>

Rendom.exeRendom.exe

Verifies the integrity of the domain. Verifies the integrity of the domain. This includes the ability to verify the This includes the ability to verify the presence or absence of DC Locator presence or absence of DC Locator resource records on authoritative resource records on authoritative DNS servers.DNS servers.

Resource Records Affected by Resource Records Affected by a Domain Renamea Domain Rename

CNAME<DsaGuid>._msdcs.<DnsForestName>CNAME<DsaGuid>._msdcs.<DnsForestName>There must be one CNAME record associated with every domain controller in all There must be one CNAME record associated with every domain controller in all authoritative DNS servers. This ensures that replication will take place from that authoritative DNS servers. This ensures that replication will take place from that domain controller.domain controller.

SRV_ldap._tcp.SRV_ldap._tcp.pdcpdc._msdcs.<DnsDomainName>._msdcs.<DnsDomainName>There must be one SRV record pertaining to the PDC on all authoritative DNS There must be one SRV record pertaining to the PDC on all authoritative DNS servers. This ensures the functioning of authentication of users and computers.servers. This ensures the functioning of authentication of users and computers.

SRV_ldap._tcp.SRV_ldap._tcp.gcgc._msdcs.<DnsForestName>._msdcs.<DnsForestName>There must be at least one record pertaining to at least one GC on all There must be at least one record pertaining to at least one GC on all authoritative DNS servers. This ensures the functioning of authentication of users authoritative DNS servers. This ensures the functioning of authentication of users and computers. For example, one DNS server may contain a record of this type and computers. For example, one DNS server may contain a record of this type registered by one GC, while other DNS servers may contain the records of this registered by one GC, while other DNS servers may contain the records of this type registered by other GCs. It is temporarily sufficient, if there is at least one type registered by other GCs. It is temporarily sufficient, if there is at least one record of this type present on all authoritative DNS servers. The other records record of this type present on all authoritative DNS servers. The other records will eventually replicate to all authoritative DNS servers.will eventually replicate to all authoritative DNS servers.

SRV_ldap._tcp.SRV_ldap._tcp.dcdc._msdcs.<DnsDomainName>._msdcs.<DnsDomainName>There must be at least one record pertaining to at least one domain controller on There must be at least one record pertaining to at least one domain controller on all authoritative DNS servers. This ensures the functioning of authentication of all authoritative DNS servers. This ensures the functioning of authentication of users and computers. For example, one DNS server may contain a record of this users and computers. For example, one DNS server may contain a record of this type registered by one domain controller, while other DNS servers may contain the type registered by one domain controller, while other DNS servers may contain the records of this type registered by other domain controllers. It is temporarily records of this type registered by other domain controllers. It is temporarily sufficient if there is at least one record of this type present on all authoritative DNS sufficient if there is at least one record of this type present on all authoritative DNS servers. The other records will eventually replicate to all authoritative DNS servers. The other records will eventually replicate to all authoritative DNS servers.servers.

AcknowledgementsAcknowledgements Microsoft employeeMicrosoft employee Jeff Bryant, Beta Technology Support Professional, Microsoft CorporationJeff Bryant, Beta Technology Support Professional, Microsoft Corporation

Microsoft internal specificationsMicrosoft internal specifications Automatic configuration of DNS client during installation of a local DNS server by Automatic configuration of DNS client during installation of a local DNS server by

DCpromoDCpromo, Levon Esibov, and others, Levon Esibov, and others Group Policies for DNS ClientGroup Policies for DNS Client, Levon Esibov, and others, Levon Esibov, and others Domain Based ForwardingDomain Based Forwarding, Levon Esibov, and others, Levon Esibov, and others Logging EnhancementsLogging Enhancements, Levon Esibov, and others, Levon Esibov, and others Stub DNS ZonesStub DNS Zones, Levon Esibov, and others, Levon Esibov, and others DNS Update API Enhancements – Resolve the Island ProblemDNS Update API Enhancements – Resolve the Island Problem, Levon Esibov, and , Levon Esibov, and

othersothers DNS Zones stored in NDNCDNS Zones stored in NDNC, Levon Esibov, and others, Levon Esibov, and others Store DNSSEC recordsStore DNSSEC records, Levon Esibov, and others, Levon Esibov, and others EDNSOEDNSO, Levon Esibov, and others, Levon Esibov, and others Verification of Resource Records crucial to authentication and replication during Verification of Resource Records crucial to authentication and replication during

Domain RenameDomain Rename, Kamal Janardhan, and others, Kamal Janardhan, and others

Other publicationsOther publications Windows .NET DNS Help and preliminary Windows .NET Server Resource Kit DNS Windows .NET DNS Help and preliminary Windows .NET Server Resource Kit DNS

chapters, Michael Cretzman.chapters, Michael Cretzman. Windows.NET Server DNS Whitepaper v.61, Steve Hahn, BTSWindows.NET Server DNS Whitepaper v.61, Steve Hahn, BTS