Operating System Windows 2000 DNS White Paper Abstract This paper describes the Microsoft® Windows® 2000 operating system Domain Naming System (DNS), including design, implementation, and migration issues.
© 1999 Microsoft Corporation. All rights reserved. The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This white paper is for informational purposes only.
CONTENTS WHITE PAPER ..............................................................................1 CONTENTS....................................................................................3 INTRODUCTION............................................................................5 INTRODUCTION............................................................................5 Name Services in Windows 2000.......................................................................2 Name Services in Windows 2000.....
Dynamic Update...............................................................................................15 Protocol Description.....................................................................................16 Update Algorithm..........................................................................................16 Dynamic Update of DNS Records ...............................................................16 Secure Dynamic Update..................................................................
Internet Access Considerations....................................................................46 Characters in Names....................................................................................55 Computer Names.........................................................................................55 Integrating ADS with Existing DNS Structure...............................................57 Deploying DNS to Support Active Directory......................................................
DNS FUNDAMENTALS The designers of the Microsoft ® Windows® 2000 operating system chose the Domain Name System (DNS) as the name service for the operating system. Windows 2000 Server includes an IETF standard-based Domain Name System Server. Because it is RFC compliant it is fully compatible with any other RFC compliant DNS servers. Use of the Windows 2000 Domain Name System server is not mandatory.
Name Services in Windows 2000 DNS is the name service of Windows 2000. It is by design a highly reliable, hierarchical, distributed, and scalable database. Windows 2000 clients use DNS for name resolution and service location, including locating domain controllers for logon. Downlevel clients (Windows NT 3.5 and 3.51, Windows NT 4.0, Windows 95, and Windows 98), however, rely on NetBIOS which can use NBNS (WINS), broadcast or flat LmHosts file.
• Draft-skwan-gss-tsig-04.txt (GSS Algorithm for TSIG (GSS-TSIG) ) For more information on these documents, go to http://www.ietf.org/. In addition to the listed RFCs and Drafts the implementation of the ATMA DNS records is based on the “ATM Name System Specification Version 1.0”. Additional reading: • Microsoft DNS and Windows NT 4.0 White Paper (http://www.microsoft.com/windows/downloads/bin/nts/DNSWP.
superceded by RFC 1034 (Domain Names–Concepts and Facilities), and RFC 1035 (Domain Names–Implementation and Specification). RFCs that describe DNS security, implementation, and administrative issues later augmented these. The implementation of DNS—Berkeley Internet Name Domain (BIND)—was originally developed for the 4.3 BSD UNIX operating system. The Microsoft implementation of DNS Server became a part of the operating system in Windows NT Server 4.0. The Windows NT 4.
Managed by N Registration Authority int/net/org com edu gov mil army microsoft whitehouse mit mydomain Managed by Microsoft Microsoft D i DNS and Internet The Internet Domain Name System is managed by a Name Registration Authority on the Internet, responsible for maintaining top-level domains that are assigned by organization and by country. These domain names follow the International Standard 3166.
Description Start of Authority Class Internet (IN) TTL Default TTL is Type SOA 60 minutes Data Owner Name, Primary Name Server DNS Name, Serial Number, Refresh Interval, Retry Interval, Expire Time, Minimum TTL Host Internet (IN) Zone (SOA) A TTL Owner Name (Host DNS Name), Host IP Address Name Server Internet (IN) Zone (SOA) NS Owner Name, MX Owner Name, TTL Mail Exchanger Internet (IN) Zone (SOA) Name Server DNS Name TTL Mail Exchange Server DNS Name, Preference Number Canonical N
• • • A need to delegate management of a DNS domain to a number of organizations or departments within an organization A need to distribute the load of maintaining one large DNS database among multiple name servers to improve the name resolution performance as well as create a DNS fault tolerant environment A need to allow for host’s organizational affiliation by including them in appropriate domains The NS RRs facilitate delegation by identifying DNS servers for each zone.
NEW FEATURES OF THE WINDOWS 2000 DNS The changes made to the primary zone file are then replicated to the secondary zone file. As mentioned above, a name server can host multiple zones. A server can therefore be primary for one zone (it has the master copy of the zone file) and secondary for another zone (it gets a read-only copy of the zone file). The process of replicating a zone file to multiple name servers is called zone transfer.
or a successful response. Resolvers typically make recursive queries. With a recursive query, the DNS server must contact any other DNS servers it needs to resolve the request. When it receives a successful response from the other DNS Server(s), it then sends a response to the client. The recursive query is typical for a resolver querying a name server and for a name server querying its forwarder (another name server configured to handle requests forwarded to it).
www.whitehouse.gov: • • • • • • • • Recursive query for www.whitehouse.gov (A RR) Iterative query for www.whitehouse.gov (A RR) Referral to the gov name server (NS RRs, for gov); for simplicity iterative A queries by the DNS server (on the left) to resolve the IP addresses of the Host names of the name servers returned by other DNS servers have been omitted. Iterative query for www.whitehouse.gov (A RR) Referral to the whitehouse.gov name server (NS RR, for whitehouse.gov) Iterative query for www.
• • • • • • Incremental Zone Transfer (IXFR) Dynamic Update and Secure Dynamic Update Unicode Character Support Enhanced Domain Locator Enhanced Caching Resolver Service Enhanced DNS Manager Active Directory Storage and Replication Integration In addition to supporting a conventional way of maintaining and replicating DNS zone files, the implementation of DNS in Windows 2000 has the option of using the Active Directory services as the data storage and replication engine.
Each Active Directory service object has attributes associated with it that define particular characteristics of the object. The classes of objects in the Active Directory service database as well as each object’s attributes are defined in the Active Directory service schema. In other words, the schema contains definitions for each class object available in Active Directory service.
Note: Only DNS servers running on domain controllers can load DS integrated zones. The Replication Model Since DNS zone information is now stored in Active Directory service, whenever an update is made to a DNS server, it simply writes the data to Active Directory and continues performing its usual functions. Active Directory service is now responsible for replicating the data to other domain controllers. The DNS servers running on other DCs will poll the updates from the DS.
Note that only DNS server supports the Secure Dynamic Updates for the DSintegrated zones. Windows 2000 implementation provides even finer granularity allowing per-name ACL specification. More details we consider ACLs and specific Administrative groups later in “Controlling Update Access to Zones and Names.” Incremental Zone Transfer To reduce latency in propagation of changes to a DNS database, an algorithm has to be employed that actively notifies name servers of the change.
The following diagram details the incremental transfer mechanism.
protocols, rendered manual updating of DNS information insufficient and unusable. No human administrator can be expected to keep up with dynamic address assignments even in a medium size network environment. It was clear that automatic assignment of addresses had to be integrated with dynamic DNS updates. This capability, known as Dynamic Update, is defined in RFC 2136. Protocol Description The Windows 2000 DNS service supports Dynamic DNS (DDNS) as covered in RFC 2136.
The dynamic update algorithm differs depending on the type of client network adapter engaging in the dynamic update process. The following three scenarios will be examined: • • • DHCP client Statically configured client RAS client DHCP Client When a Windows 2000 DHCP client bootstraps, it negotiates the dynamic update procedure with a DHCP server. By default, the DHCP client always proposes that it update the A resource record, while the DHCP server updates the PTR resource record.
client’s PTR RR. Also, the DHCP server will remove the corresponding A records if configured to ”Discard forward lookups when leases expire.” Statically Configured Client A statically configured client does not communicate with the DHCP server and dynamically updates both A and PTR RRs every time it boots up, changes its IP address or per-adapter domain name.
algorithm defined in the Internet Draft “GSS Algorithm for TSIG (GSS-TSIG).” This algorithm is based on the Generic Security Service Application Program Interface (GSS-API) specified in RFC 2078. It provides security services independently of the underlying security mechanism, and separates the security services into the following processes: • • Establishing a security context by passing security tokens.
In step 1, the client queries the local name server to discover which server is authoritative for the name it is attempting to update, and the local name server responds with the reference to the authoritative server. In step 2, the client queries the authoritative server to verify that it is authoritative for the name it is attempting to update, and the server confirms it. In step 3, the client attempts a non-secure update, and the server refuses the nonsecure update.
however, can be changed through the registry. Controlling Update Access to Zones and Names Active Directory controls access to the secure DNS zones and names in them through the ACLs. The ACLs can be specified for either an entire zone or modified for some specific names. By default any authenticated user can create the A or PTR RRs in any zone.
DNS Admins Group By default the DNS Admins group has full control of all zones and records in a Windows 2000 domain in which it is specified. In order for a user to be able to enumerate zones in a specific Windows 2000 domain, the user (or a group the user belongs to) must be enlisted in the DNS Admin group. At the same time it is possible that a domain administrator(s) may not want to grant such a high level of administration (full control) to all users listed in the DNS administrator group.
• • Which zones can be scavenged Which records must be scavenged if they become stale The DNS server uses an algorithm that ensures that it does not accidentally scavenge a record that must remain, provided that you configure all the parameters correctly. By default, the scavenging mechanism is disabled. Do not enable it unless you are absolutely certain that you understand all the parameters. Otherwise, you might accidentally configure the server to delete records that it should retain.
Aging and Scavenging Parameters for Zones Zone Parameter Description Configuration Tool No-refresh interval Time interval, after the last time a record’s timestamp has been refreshed, during which the server does not accept refreshes for the record. (The server still accepts updates.) DNS console and Dnscmd.exe Refresh interval Enable Scavenging Notes When an Active Directory– integrated zone is created, this parameter is set to the DNS server’s parameter Default no-refresh interval.
The table below lists the server parameters that affect when records are scavenged. You set these parameters on the server. Aging and Scavenging Parameters for Servers Server Parameter Description Configuration Tool Notes Default no-refresh interval This value specifies the norefresh interval that is used by default for an Active Directory–integrated zone created on this server. DNS console (shown as No-refresh interval) and Dnscmd.exe By default, this is 7 days.
Record Life Span The Figure below shows the life span of a scavengeable record. When a record is created or refreshed on an Active Directory–integrated zone or on a standard primary zone for which scavenging is enabled, a record’s timestamp is written. Because of the addition of the timestamp, a standard primary zone file for which scavenging is enabled has a format slightly different from a standard DNS zone file. This does not cause any problems with zone transfer.
the record at that time. The time at which records are scavenged depends on several server parameters. Scavenging Algorithm The server can be configured to perform scavenging automatically, using a fixed frequency. In addition, you can manually trigger scavenging on a server to perform immediate scavenging. When scavenging starts, the server attempts to scavenge all primary zones and succeeds if all the following conditions are met: • • • • • The EnableScavenging parameter is set to 1 on the server.
Usually, the DHCP service requires the longest refresh interval of all services. If you are using the Windows 2000 DHCP service, you can use the default scavenging and aging values. If you are using another DHCP server, you might need to modify the defaults. The longer you make the no-refresh and refresh intervals, the longer stale records remain. Therefore, you might want to make those intervals as short as is reasonable.
zone file. Administrators should exercise caution when transferring a zone containing UTF-8 names to a non-UTF–8-aware DNS server. The Domain Locator The Windows 2000 Domain Locator, implemented in the Netlogon service, is a service that enables a client (the machine locating a Domain Controller (DC)) to locate a DC. It contains the IP/DNS compatible and Windows NT 4.0 compatible locators which provide interoperability in a mixed Windows 2000- and Windows NTbased 4.0 environment.
Collect the following info: DNS Domain Name, Domain GUID, Site Name.
The description of the Windows NT 4 Compatible Domain Locator has been omitted, since it is irrelevant to the DNS and is described in “Windows 2000 Domain Controller Locator IP/DNS Compatible Locator The algorithm behind the IP/DNS Compatible Locator consists of two main parts. First, the domain DC(s) must be registered with a DNS server. Second, the locator must submit a DNS query to the DNS server to locate a DC in the specified domain.
_ldap._tcp.._sites.. Allows a client to find an LDAP server in the domain named by and is in the site named by . For example, _ldap._tcp.redmond._sites.nt.microsoft.com. All Windows NT Domain controllers will register this name. _ldap._tcp.dc._msdcs. Allows a client to find a DC of the domain named by . All Windows NT Domain controllers will register this name. _ldap._tcp.._sites.dc._msdcs.
All DCs providing the Kerberos service will register this name. This service is at least an RFC-1510 compliant Kerberos 5 KDC. The KDC is not necessarily a DC. All Windows NT Domain controllers running the Kerberos KDC service will register this name. _kerberos._udp. Same as _kerberos._tcp. except the UDP is implied. _kerberos._tcp.._sites.
IP/DNS DC Locator Algorithm The IP/DNS DC Locator algorithm is executed in the context of the NetLogon service, (typically) running on the client. The algorithm, shown in the flowchart, works as follows: • • • • • • Windows 2000 White Paper 34 Call DnsQuery specifying one of the criteria specific DNS host names. If IP is not supported or DNS is not supported, return from the algorithm indicating so.
Send a DNS query specifying one of the criteria specific DNS host names Does the DNS query response contain at least one DC? Quit indicating the reason No No Yes Finish Among all DCs returned in the DNS response is there at least one non-pinged one? Yes Among all DCs returned by the DNS server, that has not been pinged yet, choose one DC based on weighted random order. Ping it. Wait for 0.1 sec and listen for responses from this and previously pinged DCs.
A client might have multiple network adapters and thus might have multiple IP addresses. That could theoretically put the client in multiple sites. The design above ignores this remote possibility. Rather, it assumes that the client is in the site corresponding to the adapter, which was used to ping one of the DCs.
computer, the same rule is applicable to every adapter separately. This feature is enabled by default. It can be disabled through the Registry. Name Resolution A basic name resolution request consists of a query for a given type of a DNS record with a given DNS name. The name to be resolved supplied in a query falls into one of three categories: • • • Fully qualified. The name specified in the query is dot-terminated. Unqualified Single-Label. The name specified in the query contains no dots.
resolution. The following summarizes the name resolution algorithm: • • • • • • The query is issued to the lead server on the preferred adapter's server list. If no response was received within a one second interval, the query is issued to the lead server(s) on all lists, including the one on the preferred adapter. If no response was received within a two second interval, the query is issued to all DNS servers on all lists, including the lead servers queried before.
• • • • • The query is processed as a fully-qualified query. If the result is a positive response, the response is returned to the caller. If the result is a timeout, then a timeout is returned to the caller. If the result is a negative response, the next suffix is appended and the algorithm is restarted at step 2. If the suffix search list is exhausted without success, then a negative response is returned to the caller.
• The response is returned to the client. Name Resolution Scenarios This section provides name resolution scenarios for a multi-homed machine using unqualified single-label and fully qualified queries. In this scenario the Global suffix search list is not specified. The following table displays the machine’s DNS configuration: CONFIGURATION PARAMETER VALUE Primary DNS Name mydomain.microsoft.com.
• • • • • • • • • • • • negative response query t1 for boguz.dns.microsoft.com. negative response query e1 for boguz.dns.ntlab.microsoft.com. negative response query t1 for boguz.dns.ntlab.microsoft.com. negative response query e1 for boguz.microsoft.com. negative response query t1 for boguz.microsoft.com.
Registry key HKEY_Local_Machine\System\CurrentControlSet\Services\ DNSCache\Parameters. Disabling the Caching Resolver There are two ways to disable the caching resolver: • • Manually disable the caching resolver service by typing “net stop dnscache” at the command prompt. This disables DNS server ordering, support for Plug and Play adapters, and so forth. The end result is Windows NT 4.0–like name resolution.
DESIGNING A DNS NAMESPACE FOR THE ACTIVE DIRECTORY hardware components can provide information and notification of events. WMI simplifies the instrumentation of various drivers and applications written for Windows, provides detailed and extensible information that is consistent across different vendors' products, and allows for consistent access to Windows instrumentation from non-Windows environments. Among other services, WMI supports the monitoring and management of the DNS servers, zones and records.
Receiving Non-RFC Compliant Data If a Windows 2000 server supports a secondary zone and receives unknown resource records, then it drops such records and continues zone replication. It also drops a circular CNAME resource records if receives them. DNS Server Performance The statistics presented below are compiled as a profile of DNS server performance during preliminary testing of Windows 2000 Server.
Hardware components Sizing Number of processors Two Processor Intel Pentium II 400 MHz Amount of RAM 256 MB (megabytes) Hard disk drive space 4 GB (gigabytes) These measurements were based on the server computer running a DNS server and with no other services in use. Where other hardware specifications or software configurations are used when deploying Windows 2000 DNS servers, your performance results are likely to vary from those documented here.
namespace and DNS architecture to support it, and then revising the ADS and DNS design if unforeseen, or undesirable consequences are uncovered. The Windows 2000 Active Directory Namespace Design white paper describes the ADS namespace, including the forest and tree domain structure, organizational units, the global catalog, trust relationships, and replication.
strongly discouraged, since it may lead to the ambiguity in name resolution processes. In this section the focus is on the design of the private namespaces and the configuration of the DNS servers and zones. The specifics of two different designs are presented by considering two companies using private namespaces of different structure. These two companies, YYY and ZZZ Corporations, have reserved the DNS domain name suffixes, yyy.com. and zzz.com.
The following DNS configuration and name resolution scenarios are considered in detail with overlapping internal and external namespaces, since it is the most complicated case. It is assumed that the namespaces of both companies consist only of names within a NSI assigned domain, that is, yyy.com. and zzz.com. It is also assumed that all computers in the YYY Corporation are proxy clients supporting Proxy AutoConfiguration File, while none of the computers in the ZZZ Corporation are proxy clients.
zone, that is, zzz.com., must also contain the zones containing all (internal and external) names of the merged companies. Now take a look at a private namespace design and the configuration of the DNS servers, zones and clients for the YYY Corporation. The private namespace includes a private root,”.”. A company must devote a set of DNS servers that are not exposed to the Internet to maintain zones containing internal names from the private company namespace.
. com. yyy.com. zzz.com. someother.com. External world / Global Nezzzrk YYY corporation Proxy Server yyy.com. 3 4 ZZZ corporation . YYY corporation 2 ZZZ corporation VPN VPN Firewall 2 zzz.com. yyy.com. 5 3 4 5 first.yyy.com. second.yyy.com. third.yyy.com. 1 first.zzz.com. second.zzz.com. third.zzz.com. 6 Zone.Name. 1 Primary Zone A DNS Server, Firewall, VPN or Proxy Server 6 Zone.Name.
forwards the query to the DNS server containing the zzz.com. zone (Step 2). This server finds a delegation to the third.zzz.com. in the zzz.com. zone. It sends the query to that server (Step3) receives back the response (Step 4), passes it to the previous server (Step 5), which finally returns it to the client (Step 6). . 5 4 4 3 6 7 com. 5 7 6 8 8 9 yyy.com 2 zzz.com External world / Global Network 9 YYY corporation Proxy Server ZZZ corporation VPN VPN Firewall 3 yyy.com. first.yyy.com.
(Step 8). The DNS server returns the response to the proxy server (Step 9). Finally, the proxy server uses the obtained IP address of www.someother.com. to contact it and provides the necessary information to the client (Step 10). A computer in the ZZZ Corporation needs to resolve a DNS query for www.someother.com. It submits an appropriate query to the assigned DNS server (Step 1). If its cache contains necessary data, then the server will respond to the client.
. com. yyy.com. 2 zzz.com. External world / Global Network 3 YYY corporation ZZZ corporation Proxy Server second.yyy.com. third.yyy.com. ZZZ corporation . yyy.com. first.yyy.com. VPN VPN YYY corporation 4 1 Primary Zone A DNS Server, Firewall, VPN or Proxy Server Firewall 2 zzz.com. yyy.com. 3 first.zzz.com. 1 Zone.Name. someother.com. second.zzz.com. third.zzz.com. 4 Zone.Name.
A computer in the ZZZ Corporation needs to resolve a DNS query for www.zzz.com. It submits the query to the assigned DNS server (Step 1). If its cache contains the necessary data, the server will respond to the client. Otherwise the server forwards the query to the DNS server containing the zzz.com. zone (Step 2). Since the server is authoritative for the name www.zzz.com. it resolves the query and returns the response to the client through the forwarding DNS server (Steps 3-4).
First it finds that the name myname.zzz.com. is internal, based on the PAC file. Therefore, it submits a query to the assigned DNS server (Step 1). If the cache contains the necessary data, the server will respond to the client. Otherwise, the server will query a root server (Step 2). The root server that contains the “.” zone finds a delegation to the zzz.com. zone and returns a reference to the authoritative server (Step 3). The server uses the IP address of the name server that contains the zzz.com.
a full DNS computer name, which is a concatenation of Host name and primary DNS suffix. The primary DNS suffix is part of the base machine configuration and is not related to any networking components. Non-networked or non-TCP/IP-based machines do not have primary DNS suffix. By default the primary DNS suffix of a computer is set to the DNS domain name of the Active Directory to which it is joined.
Active Directory Domain: MyCompany.com Host name: MyComputer Primary DNS suffix –MyCompany.com Full computer name : MyComputer.MyCompany.com Public Network 10BaseT Adapter-specific DNS suffix: example1.com DNS Names: MyComputer.MyCompany.com MyComputer.example1.com Internal Backup Network 100BaseT Adapter-specific DNS suffix: example2.com DNS Names: MyComputer.MyCompany.com MyComputer.example2.com In the picture above, a machine with the MyComputer Host name is joined to the MyCompany.com. AD domain.
If existing DNS tree is implemented by Windows NT 4.0 DNS, the solution is to upgrade the Windows NT 4.0 DNS servers to the Windows 2000 implementation of DNS. If a non-Microsoft DNS implementation is in place and it does not support SRV RRs and Dynamic Update, then the question is: can it be upgraded. Note: The Dynamic Update feature is not required, but strongly recommended. If existing non-Microsoft DNS servers can be upgraded, then perform the upgrade.
Choose Active Directory Domain Names Do you have DNS No Design/Deploy Windows 2000 DNS Topology Yes Will your ADS overlap your DNS name Overlap No Overlap Finish Delegate Name Space to Windows 2000 DNS What is your DNS Naming platform & topology? Design/Deploy Windows 2000 DNS Topology Windows NT 4 DNS in Place Non-MS DNS in Place Supports SRV RRs Dynamic No Yes Finish Design/Deploy Windows 2000 DNS Topology Finish Can be upgraded support SRV RRs and Update? No Upgrade to Windows 2000 DNS
SUMMARY secondary zones can be upgraded to DS integrated zones. At this point nonMicrosoft DNS servers can be safely retired and removed from the network. Deploying DNS to Support Active Directory If you are designing a brand new network environment, the process of deploying Active Directory service/Windows 2000 DNS is relatively straightforward. Chances are, however, that the Active Directory service you are designing will need to be integrated into existing DNS infrastructure.
GLOSSARY Using Automatic Configuration The Windows 2000 implementation of DNS offers a DNS Server Configuration wizard, which greatly simplifies the DNS server installation and configuration process. For example, it offers an elegant way of priming the root hints for a new DNS server. The Server Configuration Wizard sends to the computer’s preferred and (possibly alternative) DNS server(s) a NS query for the root, ".", node. The response is placed into the root hints of this new server.
NTDEV.MICROSOFT.COM Windows 2000-based clients register in DNS WINS.NTDEV.MICROSOFT.COM WINS Server Windows NT 4.0- and Windows 2000-based clients register in WINS WINS Referral Windows 2000 -based client Windows 2000 -based client Windows NT Windows NT 4.0-based client 4.0-based client Windows NT 4.0-based client Windows 2000 -based client In the picture above, a WINS referral zone called wins.mydomain.microsoft.com. has been created and pointed to the WINS database. Assume that a Windows NT 4.
• • Enhanced Caching Resolver Service Enhanced DNS Manager To properly deploy DNS in the Windows 2000-based environment, it is recommended to start with the ADS design and then support it with the appropriated DNS namespace. For ADS design refer to the Windows 2000 Active Directory Namespace Design white paper. For More Information For the latest information on Windows 2000 visit our World Wide Web site at http://www.microsoft.com/windows2000 AXFR–Type of zone file replication.
UCS-2–Also known as Unicode is a character encoding protocol. UTF-8–A character encoding protocol, specified in RFC 2044 WINS–Windows Name System (WINS) is the pre-DNS name system. It is still supported in the Windows 2000 in order to maintain interoperability between the different generations of Windows computers. Zone Transfer–Process of replication of the zone from Master to Slave server.