DNS is the name service of Windows 2000. Windows 2000 clients use DNS for name resolution and service location, including locating domain controllers for logon.
Any DNS Server implementation supporting service location resource records (SRV RRs, as described in an Internet Draft "A DNS RR for specifying the location of services", RFC 2052 (DNS SRV) and dynamic update, (RFC 2136) is sufficient to provide the name service for Windows 2000–based computers. Theses services are provided by DNS servers compatible with BIND 8.1.2 or later.
The Domain Name System is a hierarchical distributed database and an associated set of protocols that define:
| A mechanism for querying and updating the database. |
| A mechanism for replicating the information in the database among servers. |
| A schema of the database. |
The names in a DNS database form a hierarchical tree structure called the domain name space. Domain names consist of individual labels separated by dots. For example: mydomain.microsoft.com.
A Fully Qualified Domain Name (FQDN) uniquely identifies the host’s position within the DNS hierarchical tree by specifying a list of names separated by dots on the path from the referenced host to the root.
Each node in the tree of a DNS database, along with all the nodes below it, is called a domain. Domains can contain both hosts (computers) and other domains (subdomains). For example, the Microsoft domain microsoft.com could contain both computers such as FTP.microsoft.com and subdomains such as dev.microsoft.com which could contain hosts such as ntserver.dev.microsoft.com.
Before you can install DNS, the server must have a static ip address and the host and domain name must be specified. You can install DNS via the following ways :
| During the setup of Windows 2000. |
| After the setup of Windows 2000. (Add programs, windows components, networking, no reboot) |
| During Active Directory installation. (Manually created Reverse lookup zone and ‘Allow updates’) |
A DNS database consists of resource records (RRs). Each RR identifies a particular resource within the database. There are various types of RRs in DNS.
The following table provides detailed information on structure of common RRs (Note: this is not an exhaustive list of RRs):
|
Description |
Class |
TTL |
Type |
Data |
| Start of Authority | Internet (IN) | Default TTL is 60 minutes | SOA | Owner Name,Primary Name Server DNS Name, Serial Number,Refresh Interval,Retry Interval,Expire Time,Minimum TTL |
| Host | Internet (IN) | Zone (SOA) TTL | A | Owner Name (Host DNS Name),Host IP Address |
| Name Server | Internet (IN) | Zone (SOA) TTL | NS | Owner Name,Name Server DNS Name |
| Mail Exchanger | Internet (IN) | Zone (SOA) TTL | MX | Owner Name,Mail Exchange Server DNS Name, Preference Number |
| Canonical Name (alias) | Internet (IN) | Zone (SOA) TTL | CNAME | Owner Name (Alias Name),Host DNS Name |
I
n a zone file, the "@" symbol represents the root domain of the zone (microsoft.com in the following examples). The "IN" in the following records is the class of data. It stands for Internet. Other classes exist, but none of them are currently in widespread use.Any domain name in the database file which is not terminated with a period "." will have the root domain appended to the end.
The first record in any database file is the SOA Record.
@ IN SOA <source host> <contact e-mail> <ser. no.> <refresh time> <retry time> <expiration time> <TTL>
| Source host. The host on which this file is maintained. |
| Contact e-mail. The Internet e-mail address for the person responsible for this domain’s database file. (@ will be replaced by dot) |
| Serial number. The ‘version number’ of this database file. This number should increase each time the database file is changed. |
| Refresh time. The elapsed time (in seconds) that a secondary server will wait between checks to its master server to see if the database file has changed and a zone transfer should be requested. Default 15 minutes (900 seconds) |
| Retry time. The elapsed time (in seconds) that a secondary server will wait before retrying a failed zone transfer. Default 10 minutes. (600 seconds) |
| Expiration time. The elapsed time (in seconds) that a secondary server will keep trying to download a zone. After this time limit expires, the old zone information will be discarded. Default 24 hours. |
| Minimum (default) Time to Live. The elapsed time (in seconds) that a DNS server is allowed to cache any resource records from this database file. This is the value that is sent out with all query responses from this zone file when the individual resource record does not contain an overriding value. |
| TTL for this record. TTL for the SOA-record. (Default 1 hour) |
Example:
@ IN SOA nameserver1.microsoft.com. glennwo.microsoft.com. (
1 ; serial number
10800 ; refresh [3 hours]
3600 ; retry [1hour]
604800 ; expire [7 days]
86400 ) ; time to live [1 day]
Setting the servers refresh interval is a balance between data consistency (accuracy of your data) and your networks load.
Lists the name servers for this domain allowing other name servers to lookup names in your domain. It also refers to delegated domains. In this case the DNS server of the delegated domain needs a NS and an A record.
<domain> NS <nameserver host >
Example:
@ NS nameserver2.microsoft.com.
@ NS nameserver3.microsoft.com.
delnameserver A 10.10.0.33
deldomain NS delnameserver.microsoft.com
This record tells which host processes mail for this domain. If multiple mail exchange records exist, the resolver will attempt to contact the mail servers in order of preference from lowest value (highest priority) to highest value (lowest priority). By using the example records that follow, mail addressed to scottsu@microsoft.com is delivered to scottsu@mailserver0.microsoft.com first. If the mailserver0 is unavailable the mail is send to scottsu@mailserver1.microsoft.com.
<domain> MX <preference> <mailserver host >
Example:
@ MX 1 mailserver0
@ MX 2 mailserver1
A host record is used to statically associate hosts names to IP addresses within a zone. It should contain entries for all hosts which require static mappings including workstations, name servers, mail servers, etc. These are the records which make up most of the database file when static records are used.
<host name> A <ip address of host>
Example:
rhino A 157.55.200.143
nameserver2 A 157.55.200.2
mailserver1 A 157.55.200.51
If more than one record exists for the same server, the DNS server will create load-balancing if the Round-Robin function is active. The setting is activated by default.
IP version 6 uses the AAAA recource record to store the host's ip address.
<hostname> AAAA IPV6 ip address
A local host record allows lookups for "localhost.microsoft.com." to return 127.0.0.1.
localhost A 127.0.0.1
These records are sometimes called ‘aliases’ but are technically referred to as ‘Canonical Name’ (CNAME) entries. These records allow you to use more than one name to point to a single host.
Using canonical names makes it easy to do such things as host both an FTP server and a Web server on the same machine.
<host alias name> CNAME <host name>
Example:
Assume that www.microsoft.com and ftp.microsoft.com are on the same machine. If this is the case then you might have the following entries in your zone file:
FileServer1 A 157.55.200.41
ftp CNAME FileServer1
www CNAME FileServer1
If you ever intend on moving the FTP server service away from the Web service, then all you have to do is change the CNAME in the DNS server for FTP and add an address record for the new server. For example:
FileServer2 A 157.55.200.42
FTP CNAME FileServer2
Wins records can be used to check a WINS server if the query cannot be solved via DNS. Only queries to direct children of the rootzone of the DNS-server host will be resolved. You can add the following options to a WINS record :
@ IN WINS [ttl] <local> <LookupTimeout> <CacheTimeout> <ip address of WINS server>
TTL sets the time a WINS record can be cached, Local specifies whether the record must be included in a zone replication, LookupTimeout sets the number of seconds the DNS server waits for a response from the WINS server (default 2 seconds) and CacheTimeout sets the amount of seconds the DNS server can cache the DNS entry (default 15 minutes). By specifying the ‘local’ option, WINS-records will not be replicated. This can be used the specify different WINS servers for different DNS servers of the same domain.
The WINS-R resource record is used for reverse lookups by using a NetBIOS adapter node status query. It has the same parameters as the WINS record execpt that the NameResultDomain is specified instead of the ip address of the WINS server. The NameResultDomain specifies the domain that is append to the NetBIOS name.
Examples :
@ IN WINS 5 3600 192.5.29.2 192.5.29.3
@ IN WINS LOCAL 5 3600 192.5.29.5 192.5.29.6
@ IN WINS-R LOCAL 5 3600 microsoft.com
PTR (pointer) records are used for reverse lookups. They are only in subdomains of the in-addr.arpa domain. An example of a PTR record for a client with ip address 150.10.20.1 in the 150.10.0.0 network is :
1.20 IN PTR client.domain.com.
This record is stored in the 10.150.in-addr.arpa domain.
SRV (service locator records) are used to locate hosts providing specific services. The format is :
<service>.<protocol>.<name> <ttl> <class> SRV <priority> <weight> <port> <target>
| Service. A case sensitive symbolic name of the offered service. |
| Protocol. A case sensitive description of the protocol. In most cases tcp or udp is used. |
| Name. The domain name the service refers to. |
| TTL. Time to live. The amount of time in seconds the resolver may cache the record. |
| Class. The class the record is used for. (IN) |
| Priority. The client will try to contact the service with the lowest priority-entry first. The range is 0-65535. |
| Weight. If the priority is the same, this value is used for load balancing. The range is 1-65535. When 0 is entered, load balancing is not activated. |
| Port. The port of the service. The range is 0-65535. |
| Target. The host that offers this service. There should also be an A-record for this host. A target of a dot means that this service is not available at this domain. |
For example :
_ldap._tcp_dc._msdc 300 IN SRV 0 100 389 kona.kapoho.com
Before the type of record, (A, SRV, CNAME etc.) you can fill in a TTL and a Class. The TTL describes the time in seconds a resolver may cache the record. The class should always be IN.
A DNS database can be partitioned into multiple zones. A zone is a portion of the DNS database that contains the resource records with the owner names that belong to the contiguous portion of the DNS namespace. Zone files are maintained on DNS servers. A single DNS server can be configured to host zero, one or multiple zones.
Each zone is anchored at a specific domain name referred to as the zone’s root domain. A zone contains information about all names that end with the zone’s root domain name. A DNS server is considered authoritative for a name if it loads the zone containing that name. The first record in any zone file is a Start of Authority (SOA) RR. The SOA RR identifies a primary DNS name server for the zone as the best source of information for the data within that zone and as an entity processing the updates for the zone.
Names within a zone can also be delegated to other zone(s). Delegation is a process of assigning responsibility for a portion of a DNS namespace to a separate entity. This separate entity could be another organization, department or workgroup within your company. In technical terms, delegating means assigning authority over portions of your DNS namespace to other zones. Such delegation is represented by the NS record that specifies the delegated zone and the DNS name of the server authoritative for that zone. Delegating across multiple zones was part of the original design goal of DNS. The main reasons for the delegation of a DNS namespace are :
| A need to delegate management of a DNS domain to a number of organizations or departments within an organization. |
| A need to distribute the load of maintaining one large DNS database among multiple name servers to improve the name resolution performance as well as create a DNS fault tolerant environment. |
| A need to allow for host’s organizational affiliation by including them in appropriate domains. |
There could be multiple zones representing the same portion of the namespace. Among these zones there are two types:
| Primary is a zone to which all updates for the records that belong to that zone are made. |
| A secondary zone is represented by a read-only copy of the primary zone. The changes made to the primary zone file are replicated to the secondary zone file(s). |
As mentioned above, a name server can host multiple zones. A server can therefore be primary for one zone (it has the master copy of the zone file) and secondary for another zone (it gets a read-only copy of the zone file).
The process of replicating a zone file to multiple name servers is called a zone transfer. A zone transfer is achieved by copying the zone file information from the master server to the secondary server.
The source of zone information for a secondary name server in a DNS hierarchy is referred to as a master name server. A master name server can be either a primary or secondary name server for the requested zone.
The zone transfer is initiated in one of the following ways:
| The master server sends a notification (RFC 1996) to the secondary server(s) of a change in the zone. |
| When the secondary server’s DNS service starts or the secondary server’s refresh interval has expired (by default it is set to 15 minutes in the SOA RR), it will query the primary server for the changes. |
There are two types of zone file replication. The first, full zone transfer (AXFR), replicates the entire zone file. The second, incremental zone transfer (IXFR), replicates only the changed records of the zone.
There are two types of the AXFR: One requires single record per packet, the other allows multiple records per packet (fast zone transfer). The Windows 2000 DNS server supports both, but by default uses multiple records per packet, unless is configured differently. You can disable fast zone transfers via the option ‘Bind secondaries’ on the Advanced tab of the DNS server.
Incremental zone transfers are initiated by a master server sending a NOTIFY-packet. After receiving this packet, a slave server capable of IXFR, will send an NOTIFY-packet containing the SOA-serial number of it’s copy of the zone-file. After receiving this packet the master-server will start the incremental transfer. A full transfer (AXFR) will be made if :
| The sum of changes is large than the entire zone. |
| Only a number of changes where kept on the master server to increase performance. |
| If the name-server receiving the IXFR-request did not understand it. (non-ixfr compliant) |
The changes of the DNS database that should be transferred via an incremantal zone replication are stored in the domainname.dns.log.file.
If the zones are directory-integrated, the Active Directory replication mechanism is used. The main benefits are :
| The replication is more efficient and quicker as only updates are transferred. |
| Compression is used on replication between sites. |
| Only on replication mechanism has to be maintained for Active Directory and DNS. |
DNS queries can be sent from a client (resolver) to a DNS server (a name server), or between two name servers.
A query is merely a request for records of a specified type with a specified name. For example, a query can request all host RRs with a particular name.
There are two types of queries that can be made to a DNS server:
| Recursive query |
| Iterative query |
A recursive query forces a DNS server to respond to a request with either a failure or a successful response. Resolvers typically make recursive queries. With a recursive query, the DNS server must contact any other DNS servers it needs to resolve the request. When it receives a successful response from the other DNS server(s), it then sends a response to the client. The recursive query is typical for a resolver querying a name server and for a name server querying its forwarder (another name server configured to handle requests forwarded to it).
When a DNS server processes a recursive query and a query can not be resolved from local zone files, the query must be escalated to a root DNS server. Each standard-based implementation of DNS includes a cache file (or root server hints) that contains entries for root servers of the Internet domains.
An iterative query is one in which the name server is expected to provide the best information (also known as referral if the server is not authoritative for the name) based on what the server knows from local zone files or from caching. If a name server doesn’t have any information to answer the query, it simply sends a negative response. A non-forwarding DNS server makes this type of query as it tries to find names outside its local domain(s). It may have to query a number of outside DNS Servers in an attempt to resolve the name.
The following figure shows an example of both types of queries.
When a DNS name server receives a DNS request, it attempts to locate the requested information within its own zone files. If this fails because the server is not authoritative for the domain requested, it must communicate with other DNS name servers to resolve the request. Since, on a globally connected network, a DNS resolution request outside a local zone typically requires interaction with DNS name servers outside of the company on the public internet, you may want to selectively enable specific DNS name servers in your company to do this wide-area communication.
To address this issue, DNS allows for the concept of forwarders. Specific DNS name servers are selected to be forwarders, and only forwarders are allowed to carry out the wide-area communications across the Internet. All other DNS name servers within the company are configured to use forwarders and are configured with the IP addresses of the DNS name servers designated as forwarders. This configuration is done on a per server basis, not a per zone basis, on the Forwarders-tab of the properties of a DNS server. Also select the Disable recursion on the Advanced tab to prevent the DNS server from using other servers.
When a server which is configured to use forwarders receives a DNS request that it is unable to resolve (through its own zone files), it passes the request to one of the designated forwarders. The forwarder then carries out whatever communication is necessary to resolve the request and returns the results to the requesting server, which, in turn, returns the results to the original requester. If the forwarder is unable to resolve the query, the DNS server attempts to resolve the query on its own as normal.
Slaves are DNS servers that have been configured to use forwarders and have also been configured to return a failure message if the forwarder is unable to resolve the request. Slaves make no attempt to contact other name servers if the forwarder is unable to satisfy the request.
Although all DNS name servers cache queries that they have resolved, Caching-only servers are DNS name servers whose only job is to perform queries, cache the answers, and return the results. In other words, they are not authoritative for any domains and only contain information which they have cached while resolving queries.
To be able to convert an ip-address to a domain name, a special domain "in-addr.arpa." in the DNS name space was created. But since IP addresses get more specific from left to right and domain names get less specific from left to right, the order of IP address octets must be reversed when building the in-addr.arpa tree. To find a host name for the IP address 157.55.200.2, the resolver would query the DNS server for a pointer record for 2.200.55.157.in-addr.arpa. If this IP address was outside the local domain, the DNS server would start at the root and sequentially resolve the domain nodes until he reached 200.55.157.in-addr.arpa which should contain the resource PTR record for 2 (that is 157.55.200.2).
The active directory can be used for storing and replication DNS entries. The benefits are :
| Replication will be handled by the Active Directory service. |
| Per-property replication is possible. |
| Secure replication. |
| No single point of failure in a primary DNS server. Active directory replication is multi-master. |
| Secure update possibility. |
| Support for UTF-8 characters. |
Only DNS servers on a domain controller can load DS integrated zones.
The multi-master replication model can cause problems if two changes to the same object are made on different DNS servers. When replication, only the last modified/created item will remain. Until this time different answers will be givens by the two servers. This is why the Active Directory database is called loosely consistent.
DS integrated DNS servers do provide secure dynamic DNS updates. Every DS-integrated zone, or object within this zone, has a ACL which allows users of groups to create, modify or delete the object.
The Windows 2000 DNS service supports Dynamic DNS (DDNS) as covered in RFC 2136. Via an UPDATE-message, resource-records can be added and deleted for a specific zone. Updates will be made on the primary server. On a non-ds-integrated DNS environment, update-messages will be forwarded to the primary server. In a ds-integrated DNS environment, update-messages can be send to any DNS server on a domain controller whose directory service contains the zone.
During a zone-transfer the zone is locked but to be able to provide dynamic updates, these updates will be queued and handled after the zone-transfer.
Updates are made via the following algorithm :
| The client uses a SOA query to locate the primary DNS server and zone authoritative for the record to be registered. |
| The client sends an assertion (prerequisite only update) to this server to verify and existing registration. If the entry does not exist the client will send the appropriate dynamic update package to register the entry. By default, if the entry exist, it will be overwritten. This can be changed in the registry for security reason to prevent false registrations. |
| If the update fails, the client retries at other primary servers if the zone is multi-master. If all fail, it first will be retried after five minutes. If this fails, once again after ten minutes. If this also fails at will be retried every 50 minutes after the last retry. |
| Every computer running Windows 2000 attempts the registration of an A- and a PTR-record by using the DHCP-client. This service runs even if the client is configured not to use DHCP. |
| If the client does not use DHCP, the client itself will add the A- and PTR-record to the DDNS server by using the DHCP-service. The same happens if a client uses RAS. |
If the client uses DHCP, the DHCP-server is used to negotiate the DDNS-registration. The following situation can appear :
| Default the client tries to register the A-record, while the DHCP-server registers the PTR-record. In this case the DHCP-server is configured to ‘Update DNS server according to client request’. (default setting) |
| If the DHCP-server is configured to ‘ Always update DNS' the DHCP-server will create both the A- and the PTR-record. |
| If the DHCP-server is disabled to perform dynamic updates, the client will register the A- and PTR-record. |
| For down-level clients (Windows 95,98, NT 4.0) the option ‘Enable updates for DNS clients that do not support dynamic updates’ should be activated so that the Windows 2000 DHCP-server will add the A- and PTR-records. |
A client will re-register it’s DNS entries via ‘ipconfig /registerdns’. If you want a DC to re-register all entries from netlogon.dns, restart the netlogon service.
At the expiration of the lease, the dynamic DNS entries must be removed from the zone. This should be done by the computer who created the resource-records. (the DHCP-client or DHCP-server). By default, the DHCP-server will only remove the records it did register (standard only the PTR-record). When the option ‘Discard forward (name-to-address) lookups when lease expire’ is activated, also A-records will be removed by the DHCP-server.
DNS entries are reregistered by the DHCP-server when a lease is renewed. A DHCP-client renews the entry every 24 hours or at the following events :
| The TCP/IP configuration is changed. |
| The DHCP address is renewed or a new lease is obtained. |
| A plug and play event occurs. |
| An ip address is added or removed from an adapter. |
You can change the interval of 24 hours are the registry entry hkey_local_macine\System\CurrentControlSet\Services\TCPIP\Parameters\DefaultRegistrationRefreshInterval. After creating the entry you should restart the machine.
The default TTL for a resource record entered by a client is 20 minutes. This can be changed via the registry entry hkey_local_machine\system\CurrentControlSet\Services\TCPIP\Parameters\DefaultRegistrationTTL (seconds). After creating the entry you should restart the machine.
If a client dynamically registers an address that is already in DNS, by default the existing entry is overwritten in a non-secure environment. This can be changed via the registry setting Hkey_local_macine\System\CurrentControlSet\Services\TCPIP\Parameters\DisableReplaceAddressesInConflict. By default the value is 0 which means that existing entries will be overwritten. When changed to 1, the client will not overwrite existing names.
You can disable dynamic updates for the whole client on the registry key hkey_local_machine\CurrentControlSet\Services\TCP\Parameters\DisableDynamicUpdate or per interface on hkey_local_machine\CurrentControlSet\Services\TCPIP\Parameters\Interfaces\<interface>\DisableDynamicUpdate.
If you only want to disable the registration of reverse lookups you can change the DisableReverseAddressRegistrations registry entry. You can only disable PTR registration per machine and not per adapter.
DS integrated zones can be configured to use secure dynamic updates. By default all new created ds-integrated zones are configured to only allow secure updates. The following process describes secure updates :
A client can use three policies for secure DDNS-updates :
| Attemp a non-secure dynamic update first and if it fails use negotiate a secure dynamic update. (default) |
| Always negotiate a secure dynamic update. |
| Attemp only a non-secure dynamic update. |
You can change the behaviour of the client via the registry entry hkey_local_machine\CurrentControlSet\Services\TCPIP\Parameters\UpdateSecurityLevel. When set to 256 only a secure dynamic update is done, when set to 16 only an insecure dynamic update is done and when set to 0 a secure update is done when a non secure update is refused. 0 is the default setting.
By default any authenticated user can create A- and PTR-records in a zone but when the record is created only members of the ACL have modification-rights. This can cause problems if the host trying to refresh the record is not the same as the host that registered. For example of DHCPserver1 registers the first time, and DHCPserver2 the second time. To solve this problem add the DHCP-servers to the DNSUpdateProxy-group. All records created by members of this group do not have security and can be taken ownership of by the next resource that modifies the record. Keep in mind that a security problem arises as all entries added by the DHCP server, including it’s own records, are non-secure.
Advise : Do not install DHCP on a domain controller as the DHCP-services runs under the computeraccount (in that case domain controller account) and has full control of all entries in the DDNS-environment.
To create new zones within DNS, users need to be member of the DSNAdmins-group.
Via per-name granularity a name can be reserved within DNS. Only members of the ACL of this name are able to enter the records for this resource within the DNS.
In some cases DDNS-records are not automatically deleted. This causes stale records in the database that use extra resources and can give wrong answers. To clean up the database aging and scavenging can be used by specifying the following :
| Which servers can scavenge records. |
| Which zones can be scavenged. |
| Which records must be scavenged if they become stale. |
By default scavenging is disabled. When activated, records created before enablement will not be scavenged. The only way to scavenge these old records is to use the AgeAllRecords option in dnscmd.exe.
Aging and scavenging parameters per zone :
| No-refresh interval. Time after a record’s timestamp has been refreshed, in which no refreshes are allowed. (updates are still possible). Default this parameter is copied from the DNS’s server parameter ‘Default no-refresh interval’ |
| Refresh interval. After the refresh interval, the server may scavenge the records that have not been refreshed during the refresh interval or afterwards. Default this parameter is copied from the DNS’s server parameter ‘DefaultRefreshInterval’ |
| Enable scavenging. This flag tells whether aging and scavenging is enabled for the zone. |
| ScavengingServers. This parameters tells which servers are allowed to scavenge. (only configurable via dnscmd.exe) |
Aging and scavenging parameters per server :
| Def. No-refresh int. Default no-refresh interval for an Active Directory integrated zone. (default 7 days) |
| Def. Refresh int. Default refresh interval for an Active Directory integrated zone. (default 7 days) |
| Def. Enable scavenging. Tells if scavenging is activated for a zone by default. (default is off) |
| Enable scavenging. Tells whether the server can per perform scavenging of stale records. Default this is not. If activated, scavenging is started after every period noted in the scavenging period value. |
| Scavenging period.Tells how often the server should perform scavenging. (default 7 days) |
A server can start scavenging a zone when :
| The EnableScavenging parameter for the server is set to 1. |
| The EnableScavenging parameter for the zone is set to 1. |
| Dynamic updates are enabled for the zone. |
| The zone parameter ScavengingServers is not specified or the ip address of the server is in it. |
| The current time is greater than the value of the zone parameter StartScavenging. |
Active directory zone-files with scavenging enabled cannot be copied to non-Windows 2000 DNS servers as the format has been changed. Zone-transfers do work.
Time-stamps of records that are created by any other method than a dynamic update are set to zero. A zero value indicates that the timestamp must not be refreshed and that the records should not be scavenged.
Windows 2000 DNS does support UTF-8 characters to easy the migration from NetBIOS names. Keep in mind that when using non-Windows 2000 DNS servers zone-transfers can give problems for UTF-8 names. Also do not use these names in computers that should be visible globally.
UTF-8 character encoding is a superset of ASCII and a translation of UCS-2 (UniCode). It contains characters of most of the world’s written languages. (RFC 2044)
You can set per DNS server if you allow the usage of UTF-8 character on the Advanced tab of the server’s properties. You can set on of the following options for Name checking :
| Strict RFC (ansi). Allows ‘A’ to ‘Z’, ‘a’ to ‘z’, ‘-’ the * as the first label and the _ as the first character of a label. |
| Non RFC (ansi). Allows all character as mentioned in ‘Strict RFC’ and the _ anywhere in a name. |
| Multibyte (UTF-8). Allows all chacters as mentioned in ‘Non RFC’ and all UTF-8 characters. |
| Any character. Allows any character, including the UTF-8 characters. |
The maximum length of a fully qualified domain name is 255 bytes, the maximum of a label is 63 bytes. A domain controller is limited to 155 bytes for a fully qualified domain name.
The domain locator is part of the Netlogon-service and enables a client to locate a domain controller. The domain controller location algorithm contains the following steps :
| The client collects the info needed to select a domain
controller :
| ||||||
| Netlogon calls the DNS server using the ip/dsn compatible locator. | ||||||
| If the machine running the netlogon service is not configured to use IP or DNS, or the ip/dns locator was unable to discover a domain controller, netlogon uses the Windows NT 4 domain locator. | ||||||
| The information of the located domain controller is returned to the caller. |
Steps within the ip/dsn locator :
| Call DnsQuery specifying one of the criteria specific DNS host names. |
| If IP is not supported or DNS is not supported, return from the algorithm indicating so. |
| If the specified name cannot be found (perhaps because the domain has been renamed), return from the algorithm indicating so. |
| Upon retrieving the list of DCs from DNS, the client will ping the various DCs in weighted random order. After each ping, the client will wait 1/10th second for a response to the ping. Choosing the DCs at random provides a first level of load balancing. Doing multiple pings in quick succession ensures the discovery algorithm terminates in a reasonable amount of time. The pinging continues until all the returned DCs have been tried or until positive response has been received from the pinged DC, whatever comes first. |
| When a DC responds to the ping, the parameters supplied in the response is compared to the parameters required by client. If the information mismatches, the response is ignored. |
| The first DC to respond to a ping and satisfy client’s requirements is used by the client. |
When a locator searches for a domain controller, it attempts to find one in the same site where the client is unless specified otherwise. If at the beginning of the search the locator is not aware of the client’s site, it will query a DNS server for the records of the domain controllers in the specified domain. Then it contacts discovered domain controllers and finds the site to which the client belongs. If the discovered domain controller is not in the same site the locator will repeat DNS query specifying the client’s site.
A domain controller should be registered within DNS. To receive the domain controllers, the client sends a DNS query to the DNS server to lookup the domain controller(s) for the specific domain. After the query is resolved the client sends LDAP UDP lookup’s to check the availability of the domain controllers. Finally the netlogon service caches the found domain controllers.
A domain controller adds the following SRV items to a DNS server :
_ldap._tcp.<DnsDomainName>
Allows a client to find a Windows 2000 domain controller.
_ldap._tcp.<sitename>._sites.<DnsDomainName>
Allows a client to find a ldap server within a specific domain and site.
_ldap._tcp.pdc._msdcs.<DnsDomainName>
Allows a client to find a PDC emulator for a domain. These records are maintained by the PDC emulator of the domain.
_ldap._tcp.gc._msdcs.<DnsForestName>
Allows a client to find the global catalog server for the specific domain. Only a domain controller serving the global catalogue for that forest registers this name.
_ldap._tcp.<SiteName>._sites.gc._msdcs.<DnsForestName>
Allows a client to find a global catalog for the specific domain and site. Only a domain controller acting as a global catalogue server in this domain registers this entry.
_ldap._tcp.<DomainGuid>.domains._msdcs.<DnsForestName>
Allows a client to find a domain controller in a domain with the specific guid. This operation will only be done if the domainname has changed and the dnsforestname is known.
_ldap._tcp.writeable._msdcs.<DnsDomainName>
Allows a client to find a domain controller in the specified domain that hold a modifiable copy of the directory. In mixed mode, the PDC registers this name. In native mode, all domain controllers register this name.
_ldap._tcp.dc._msdcs.<DnsDomainName>
Allows a client to find a domain controller for a specific domain.
_ldap._tcp.<sitename>._sites.dc._msdcs.<DnsDomainName>
Allows a client to find a domain controller for a specific domain and site.
_gc._tcp.<DnsForestName>
Allows a client to find a global catalogue for this domain.
_gc._tcp.<sitename>._sites.<DnsForestName>
Allows a client to find a global catalogue for this domain and site.
_Kerberos_tcp.<DnsDomainName>
Allows a client to locate a Kerberos key distribution server (KDC) for the specific domain.
_Kerberos._udp.<DnsDomainName>
Same as previous entry, except for UDP.
_kerberos._tcp.<sitename>._sites.<DnsDomainName>
Allows a client to locate a KDC for the specific domain and site.
_kerberos._tcp.dc._msdcs.<DnsDomainName>
Allows a client to locate a KDC on a dc in the specific domain.
_kerberos._tcp.<sitename>._sites.dc._mcdcs.<DnsDomainName>
Allows a client to locate a KDC on a dc in the specific domain and site.
_kpasswd._tcp.<DnsDomainName>
Allows a client to find a Kerberos password change server for the specific domain
_kpasswd._udp.<DnsDomainName>
Same as previous, except for UDP.
A domain controller also adds the following A items to a DNS server via netlogon:
<dnsdomainname>
Allows a client to find a domain via an A record lookup.
_Gc_.msdcs.<dnsforestname>
Allows a client to find a global catalogue server via an A record lookup.
A domain controller adds the following CNAME item to a DNS server via netlogon:
<dnsguid>._msdcs.<dnsforesetname>
Allows a client to find any dc in the forest via a normal A record lookup.
To find out which locator resource records are created by the netlogon service check the file %systemroot%\system32\config\Netlogon.dns. The entries created by the netlogon services are by default recreated every hour. Article Q178148 describes how you can disable parts of the automatic registration.
The Windows 2000 implementation of DNS introduces a client-side caching resolver for DNS name resolution. Caching resolver is a Windows 2000 service with the sole purpose of improving name lookup performance, and reducing network traffic associated with name lookups by minimizing the number of name resolution round trips.
Caching resolver runs in the context of the Services.exe process (Service Control Manager) and can be turned on and off just like any other service.
You can view the contents of the cache via ‘ipconfig /displaydns’. It contains the entries of the host file and the positive and negative answers received via name resolution from which the TTL has not expired. You can clean the cache via ‘ipconfig /flushdns’ Via this command the cache is cleaned and the host file is reload.
Positive responses are stored in the cache for the period as specified by the server (TTL) but not longer than the value of the MaxCacheEntryTtlLimit in the \hkey_local_machine\System\CurrentControlSet\Services\DNSCache\Parameters sections of the registry. The default value is 86400 seconds. (24 hours)
Negative responses are stored for the period specified in the NegativeCacheTime entry of the registry. This is 300 seconds by default. You can disable negative caching by setting this entry to 0.
A Windows 2000 DNS server also uses negative caching. On a server the maximum caching time is the same as the maximum TTL of the SOA with a minimum of 1 minute and a maximum of 15 minutes.
When a resolver receives multiple A records for a host, it first uses the ip address of the host on the same subnet as the resolver. This is called subnet prioritization. Subnet priorization disables Round-robin in which the servers changes the order of offering multiple ip addresses for the same host. It is an easy way to provide load balancing. Round-robin is described in RFC 1794.
You can disable subnet priorization by setting the value of the Hkey_local_machine\System\CurrentControlSet\Services\DNSCache\Parameters\PrioritizeRecordData to 0.
On the DNS server you can enable Round-robin on the Advanced tab. You can also enable subnet priorization on the server via the registry parameter LocalNetPriority. By default this option is set to 0 (disabled). This leads to the following combinations :
| Round-robin enabled, LocalNetPriority = 1. The server rotates among the A resource records it returns in the order of their similarity of the ip address of the client. |
| Round-robin disabled, LocalNetPriority = 1. The server returns the records in local net priority order. It does not rotate addresses. |
| Round-robin enabled, LocalNetPriority = 0. The server rotates the A records that it returns to the client based on the order in the database. |
| Round-robin disabled, LocalNetPriority = 0. The servers returns the A records to the client in the order as they are stored in the database. |
You can also activate subnet prioritization on the server via the option 'Enable netmask ordering' on the advanced tab.
The registry information of DNS is stored in Hkey_local_machine/System/CurrentControlSet/Services/DNS. The DNS folder (systemroot\system32\Dns) contains the following files :
| Domain_name.dns. The zone database file to convent names to ip-addresses. |
| z.x.w.in-addr.arpa. File used for reverse lookup. |
| Cache.dns. Host information for hosts outside authorative domains. By default in contains all of the root servers of the internet. |
| Boot. Optional as also used in registry. Describes how DNS-service starts. |
| Dns.log. A logfile can be activated on the DNS-server’s properties. |
| Sample directory. This directory contains samples of a root, boot, domain name and arpa files. |
| Backup directory. |
A name that has to be looked-up via DNS can fall into three categories :
Fully qualified name
A fully qualified domain name refers to a specific host e.g. ntserver.mydomain.microsoft.com. No alterations are needed. When looking-up such name, first the cache is checked. (hosts-file is loaded into cache) If this lookup fails, the first server of the list of DNS-servers is asked for resolution of the address. Four types of answers are possible :
| A positive answer. The name exists and has data associated with it. |
| A negative answer. The name does not exist or has no data associated with it. |
| A server failure. The server cannot service the request. |
| No response. No answer is received. |
Only in case of a server failure or a non-response, the client will ask the next DNS server in the list the same question. If a server not responds, the priority of the DNS-server-list will automatically be reordered.
The name-resolution-process can be summarized :
| The cache is checked. |
| The query is issued to the lead server on the preferred adapter's server list. |
| If no response was received within a one second interval, the query is issued to the lead server(s) on all adapters, including the one on the preferred adapter. |
| If no response was received within a two second interval, the query is issued to all DNS servers on all lists, including the lead servers queried before. |
| If no response was received within a two second interval, once again the query is issued to all DNS servers on all lists. |
| This procedure will be repeated after 4 seconds, and later after 8 seconds if no response is received. |
| If the query is not resolved after all listed attempts (they may take up to seventeen seconds), then a timeout is returned to the client. |
Unqualified simple label name
A single name without a dot is called a unqualified simple label name, e.g. ntserver. This name has to made full qualified by adding a suffix. Two types of suffix’s are possible. If a suffix search order is predefined, then it is used. If it is not defined then the Primary (normally the Active Directory domain name) and per-adapter domain names are used. The steps of resolving a unqualified simple name are :
| Global suffix search order. If a domain suffix search list is
entered, the primary DNS suffix name and the connection-specific domain names
are ignored. The global suffix search order is set by the TCP/IP options. This
setting is not per adapter based. To start the lookup process, the first
global suffix is added to the name, then a fully qualified lookup is made. If
there is a response or a time-out, the lookup process stops, otherwise the
next global suffix is used. If all suffixes are used, a negative response is
return. |
| Using primary DNS suffix per adapter domain names. To create a fully qualified domain name, first the PrimaryDnsDomainName for the machine is used. If this lookup fails, instead of a time-out or success, the PrimaryDnsDomainName(s)- for the TCP/IP configuration(s) per adapter are used. If this fails, the devotion-mechanism is used on the PrimaryDnsDomainName. (if turned-on via the registry) |
Unqualified multi label name
A name containing dots, but not dot-terminated, is called an Unqualified Multi-Label name, for example ntserver.mydomain. A name with dots in it may be unique, or partially qualified.
To lookup these names first a fully qualified domain name is created by adding a dot. If this fails, the entries from the domain suffix search list are added. If there is no domain suffix search list, first the primary DNS suffix name is added to created a fully qualified domain name. If this fails the connection-specific DNS names are added. If this process also fails, the devotion mechanism is used by decreasing the primary DNS suffix. E.g. if the name of the client is ‘test’ and the primary domain suffix is ‘eu.microsoft.com’ first test.eu.microsoft.com is tried. If this fails, test.microsoft.com is tried and so on until two labels are left.
An administrator can get permissions to modify DNS server settings when add to the domain local group DNS admins.
Before Nslookup will work, a PTR record of the name-server must exist in the DNS. Nslookup provide a console with the following options :
| Name. Provides DNS info about name using the primary DNS server. |
| Name1 name2. DNS info about name1 using DNS server name2. |
| Set. set various options. |
| Server. Sets default server to query, using current default server. |
| Lserver. Sets default server to query, using initial server. |
| Finger. Fingers the name. |
| Ls. With various options to view/export DNS entries. |
| View. View a file. |
| Exit. Exit the nslookup utility. |
You can use the following commands of ipconfig for troubleshooting :
| ipconfig /all. Display all ip information including the fqdn and the domain suffix search list. |
| ipconfig /flushdns. Flushes and reset the DNS resolver cache. |
| ipconfig /displaydns. Displays the contents of the DNS resolver cache. |
| ipconfig /registerdns. Refreshes the DHCP lease and registers the related DNS names. Only available on Windows 2000 DHCP clients. |
| ipconfig /release [adapter]. Releases all DHCP leases. |
| ipconfig /renew [adapter]. Refreshes all DHCP leases and dynamically updates the DNS names. Only available on Windows 2000 DHCP clients. |
You can also flush the DNS resolver cache by stopping and starting the dns client service.
Within the eventviewer you can find messages about the DNS server in the DNS server area. Messages about the DNS client can be found in the System log.
On the Logging tab of the DNS server you can set the DNS server to maintain a log file. It can log the following types of events :
| Queries |
| Notification messages from other servers |
| Dynamic updates |
| Content of the question section for DNS query messages |
| Content of the answer for DNS query messages |
| Number of queries this server sends |
| Number of queries this server has received |
| Number of DNS requests received over an UDP port |
| Number of DNS requests received over an TCP port |
| Number of full packets sent by the server |
| Number of packets written through by the server and back to the zone |
The file is stored in RTF format in the %systemroot%\system32\dns\dns.log. The folder and filename can be changed in hkey_local_machine\CurrentControlSet\Services\DNS\parameters\LogFilePath.
The default size is 4 mb. This can be changed via the LogFileMaxSize entry in the registry. (minimun size 64 kb)
On the Monitoring tab of the DNS server you can use the ‘Test Now’-button to test the DNS server.
Dnscmd.exe is a command based interface to the DNS server. It can be used for all kind of administration. The tool is part of the support tools (\support\tools)
System monitor provides DNS specific performance counters.
|
| Windows 2000 DNS supports dynamic updates, secure updates, IXFR, SRV records and UTF-8 characters. |
|
| Windows NT 4.0 DNS (with Service Pack 4 or greater) supports SRV records but does not support dynamic updates, IXFR or UTF-8. |
|
| BIND 8.2 at later supports IXFR, dynamic updates and SRV records but does not support UTF-8. |
|
| BIND 8.1.2 and later supports dynamic updates and SRV records but does not support IXFR or UTF-8. |
|
| BIND 8.1.1. does not work well with Active Directory. Use 4.9.7 or a newer version |
|
| BIND 4.9.7 and later supports SRV records but does not support dynamic updates, IXFR or UTF-8. |
|
| Before 4.9.7. Does not support SRV records so not suitable for Windows 2000. |
| DNS configuration and error checking enhancements. (WH1291S020701/WH1292S020701) |
| DNS compliance with security extensions of RFC 2535. KEY, SIG and NXR records can be used. Cryptographic options are not supported. (WH0441S020701) |
| Group policy usage for DNS configuration for e.g. dynamic updates. (WH0444S020701) |
| Stub zones and conditional forwarding (WH0443S020701) |
| Support for EDNS0 Protocol. DNS server will accept and transmit UDP packets with a payload size greater than 512 octets as described in RFC 2671. (WH0442S020701) |
| WMI classes to monitor and configure DNS server. (WH1315S012301) |
