DNS and Windows 2000 AD Issues

Admin Tip #39 : DNS and Windows 2000 AD Issues

Hits: Failed to execute CGI : Win32 Error Code = 3

A critical Windows 2000 Active Directory domain requirement is DNS. It goes without saying that Microsoft recommends its own DNS. For a Microsoft shop, this is no problem. For larger enterprises with heterogeneous networks, with an existing unix-based DNS using BIND, Microsoft's DNS is probably not a good choice. Active Directory requires DNS features available in BIND version 8.1.2, but because of security issues version 8.2.2 or later is recommended. Check the Internet Software Consortium for BIND updates.

The most important AD requirement for DNS servers is support for DNS service resource records (SRV RR). RFC 2782 has the current definition for SRV RR. Resource records in DNS allow clients to query for the IP address of a server by the name of a service as opposed to the name of a computer. DNS versions that don't support SRV RR cannot be used with Microsoft's Active Directory.

Microsoft also recommends support for dynamic updates which is a feature for DNS defined in RFC 2136 that allows clients to dynamically update records in the DNS. But dynamic updates are not really required for Active Directory to function.

There are real advantages if you can use W2K DNS. You can integrate DNS in Active Directory which provides integrated security and redundancy. The DNS database is replicated to the domain controllers and protected by AD discretionary access control lists (DACLs). If the DNS servers are using Active Directory to store their zone data, AD handles the zone replication. Zone transfers are automatic. It shares the AD multi-master characteristic whereas traditional DNS is single-master. W2K DNS supports incremental zone transfers, RFC 1995, when using standard zone files permitting a secondary DNS server to pull only the zone changes that it needs to synchronize its copy of zone data with the primary's zone data. W2K clients can dynamically register and update their DNS records and DHCP will dynamically update the records for downlevel clients (NT, Win9x).

Thus your organization has the DNS options for your Windows 2000 domain:

Replace existing DNS servers to use Windows 2000 DNS exclusively
highly recommended if it works for your environment
Upgrade existing non-W2K DNS servers to BIND version 8.2.2 or later
Implement a mixed DNS environment by using W2K's DNS for the W2K domain only.

There is another major factor which has to be taken into account. DNS names are restricted to the characters A to Z, digits, and the hyphen(-). The first character of a DNS label can be either a letter or a digit according to RFC 1123. Microsoft's machine naming is based on Netbios names which supports a much wider character set including curly braces ({}), the underscore (_), and the exclamation mark (!) among others. The underscore is particularly common. There is usually a low level of tension between the unix DNS administrator and Windows NT admins over the issue.

Microsoft's W2K DNS supports alternate character set defined in RFC 2181. RFC2181 specifies that a DNS label can be any binary string that does not necessarily need to be interpreted as ASCII. Thus Microsoft suggests the use of UTF-8 character encoding that is a superset of ASCII and a translation of Unicode (not hard to understand why since NT is based on Unicode standards).

To change the naming standard in W2K DNS:

In the DNS console, right-click on DNS server
Select Properties
Select Advanced tab.
Make your choice in the Name Checking drop-down list

There are four character set options:

Strict RFC (ANSI) : RFC 1123, A-Z, 0-9, - (dash)
Non-RFC (ANSI): adds underscore to ANSI set
Multibyte (UTF8) : allows UTF8 characters (Microsoft naming standard)
Any names : allows any character

For a strictly private network, Microsoft's suggested unicode standard works well. If its a strictly Microsoft network. You again have to decide on whether enforcing standards on the Microsoft world which the heterogeneous network needs or whether to have dual support.

Operationally, a GUI interface is great for novice administrators but is cumbersome if you have to perform the same task over and over again. Command line tools can be more efficient than GUI tools. Dnscmd.exe is one of the support tools from Support.cab, which is located in the support\tools directory on the Windows 2000 CD.

Dnscmd.exe can be used to:

Get DNS server info
Initiate server scavenging
Enumerate and view zone info
Create, delete, pause, and resume zones
Change zone type (standard primary, standard secondary, AD integrated)
Add, delete, and enumerate records in a zone

For example, to create a new standard primary zone called stdprizone.test.com on server server1.test.com and stored in stdprizone.dns files:

dnscmd server1.test.com /ZoneAdd stdprizone.test.com /Primary /file stdprizone.dns

The syntax for adding DNS A records is similar:

Dnscmd server_name /RecordAdd zone_name computer_name A IP_address

To add an A record for testcomp1 with an IP address of 172.254.1.100 in the test.com zone on stdprizone.test.com server:

Dnscmd stdprizone.test.com /RecordAdd test.com testcomp1 A 172.254.1.100

To manually force zone replication:

Dnscmd server_name /ZoneRefresh zone_name

See Microsoft's DNS and AD site with configuration tips and white papers including

Configuring Windows 2000 DNS to Support Active Directory
Domain Name Service (DNS)
Chapter 16 from Microsoft Windows 2000 TCP/IP Protocols and Services Technical Reference
DNS : Setting Up the Domain Name System for Active Directory
DNS in the Active Directory Tree
webcast
DNS in the Active Directory Tree Part 2: Best Practices, Common Problems, and Troubleshooting
webcast
HOW TO: Convert a DNS Server to a Root DNS Server
HOW TO: Create a Child Domain in Active Directory and Delegate the DNS Namespace to the Child Domain
HOW TO: Integrate DNS with Existing DNS Infrastructure If Active Directory Is Enabled in Windows 2000
Windows 2000 DNS White Paper
The DNS Place

Table of Contents