Changes to DNS in

Windows Server 2003

By David Pracht
 Purpose
This overview discusses the changes
made to Domain Name System (DNS)
in Windows Server 2003.
 Overview of the changes
 Corrected issues
 DNS auto configuration in DCpromo
 Application directory partitions
 Stub zones
 Conditional forwarders
 Client DNS group policy
 DNS security extensions
 DNS extension mechanism
 DNS logging enhancements
 Round robin update
 Active Directory® domain rename
 Corrected Issues

 Disjointed Namespace
– The Active Directory name is now forced as the
domain suffix
 Root Zone Issue
– A root zone must be created manually
 Island Server Issue
– DNS servers register their
DsaGuid._msdcs.<forestname> record with
each DNS server that is a member of the
domain
 DNS Auto Configuration in
DCpromo
Client DNS settings automatically update
if one of the following scenarios are
met:
 There is a single network connection
 The preferred and alternate DNS settings
match on all interfaces
 DNS settings exist only on one
connection
 DNS Auto Configuration
Process
1. Query current DNS servers specified in
network settings.
2. Update root hints using the largest set
found.
3. Configure forwarders with the current
preferred and alternate DNS servers.
4. Configure DNS settings with 127.0.0.1
and then configure all previous preferred
and alternate DNS servers.
5. If successful, log in Event Viewer.
 If No Root Hints Found
If no root hints are found, log the following event:
The DNS server could not configure network connections of this computer
with the DNS server running on the computer as the preferred DNS server
because this computer is connected to the networks with different DNS
namespaces. You must manually configure the local DNS server to perform
name resolution on one or more of the namespaces before you can modify
the preferred DNS servers (part of the TCP/IP configuration) of the network
connections.
If the network connections of this computer are not configured with the
DNS server running on the computer as the preferred DNS server, this
computer may not be able to dynamically register the domain controller
locator DNS records in DNS. Absence of these records in DNS may prevent
other Active Directory domain members and domain controllers from
locating this domain controller.
Take the following steps:
Ensure that DC locator DNS records enumerated in the
%WinRoot%./System32/config/netlogon.dns file are registered on the local
DNS server.
If these records are not registered in DNS, add a delegation to this server
to a parent DNS zone for the zone matching the name of the Active
Directory domain or configure the local DNS server with appropriate root
hints and forwarders, if necessary, and configure the network connections
of the computer with the DNS server running on the computer as the
preferred DNS server. Note that other computers using other DNS servers
as the preferred or alternate DNS server may not be able to locate this
domain controller unless the DNS infrastructure is properly configured.
Application Directory Partitions

 In Microsoft® Windows® 2000, if the DNS server is

configured to use Active Directory Integrated zones, then
the DNS zone data is stored in the domain naming
context (DNC) partition of Active Directory. Every object
created in the DNC, which includes DNS zones and nodes
(DNS names, such as microsoft.com), are replicated to all
the GC’s in the domain.

 Conversely, in Windows Server 2003, application directory

partitions enable storage and replication of DNS zones
stored in the non-domain naming context (NDNC)
partition of Active Directory. By using application directory
partitions to store the DNS data, essentially all DNS
objects are removed from the GC. This is a significant
reduction in the number of objects that are normally stored
in the GC.
 Zone Replication Options
 All DNS servers in the Active Directory forest
– The zone data is replicated to all the DNS servers
running on domain controllers in all domains of the
Active Directory forest.
 All DNS servers in a specified Active Directory
domain
– The zone data is replicated to all DNS servers running on
domain controllers in the specified Active Directory
domain. This option is the default setting for Active
Directory-integrated DNS zone replication.
 All domain controllers in the Active Directory
domain
 All domain controllers specified in the replication
scope of an application directory partition
 To Create or Delete an
application directory
partition
 Open a command prompt.
 Type ntdsutil.
 At the ntdsutil command prompt, type domain
management.
 At the domain management command prompt, type
connection.
 At the connection command prompt, type connect to
server ServerName.
 At the connection command prompt, type quit.
 At the domain management command prompt, do one of
the following:
 To create an application directory partition, type create nc
ApplicationDirectoryPartition DomainController.
 To delete an application directory partition, type delete nc
ApplicationDirectoryPartition.
 Stub Zones
 Allow a parent domain to automatically
identify the DNS servers in a child domain.
 Only contain the SOA, NS, and A records.
 The DNS server is able to query NS directly
instead of through recursion with root
hints.
 Changes to zones are made when the
master zone is updated or loaded.
 The local list of master zones define
physically local servers from which to
transfer.
Stub Zone Viewed From
DNS Manager
 Local List of Master Servers

 Master servers are DNS servers that the

stub zone will contact to retrieve the
necessary resource records.
 To force replication with a specific set of
servers, select the Use the list above as
a local list of masters check box on the
General tab of the stub zone properties.
 This option will only be available if the
zone is stored in Active Directory.
 The list is kept in the registry and not
replicated in Active Directory.
Stub Zone Properties Tab
 Conditional Forwarders

 Forward DNS queries based on the

name in the query to specific servers
that have closest match in the order
listed.
 You can disable recursion specifically
for each forwarder.
 Primarily used for managing name
resolution between different
namespaces in your network.
Forwarders Tab in DNS
Properties
 Client DNS Group Policy

 Central location for configuring many of

the DNS client settings.
 Group policy supersedes any manual or
DHCP settings.
 DNS suffix search list policy is key to
transitioning to a NetBIOS-less
environment.
 Update Top Level Domain policy enables
Windows XP clients to use a single label
domain name.
DNS Group Policies in the
Default Domain Policy
 Policy Descriptions (1 of 2)
 Primary DNS suffix
Allows you specify a primary DNS suffix for a group of computers
and prevents users, including administrators, from changing it.
 Dynamic update
Determines if dynamic update is enabled.
 DNS suffix search list
 When this setting is enabled, if a user submits a query for a single-
label name, such as widgets, a local DNS client attaches a suffix,
such as microsoft.com, resulting in the query
widgets.microsoft.com before sending the query to a DNS
server.
 Primary DNS suffix devolution
Determines whether the DNS client performs primary DNS suffix
devolution in a name resolution process.
 Register PTR records
 Determines whether the registration of PTR resource records is
enabled for the computers to which this policy is applied.
 Registration refresh interval
 Specifies the registration refresh interval of A and PTR resource
records for computers to which this setting is applied. This setting
may be applied to computers using dynamic update only.
 Policy Descriptions (2 of 2)
 Replace addresses in conflicts
Determines whether a DNS client that attempts to register its A
resource record should overwrite an existing A resource record
containing conflicting IP addresses.
 Register DNS records with connection-specific DNS suffix
Determines if a computer performing dynamic registration may
register its A and PTR resource records with a concatenation of its
computer name and a connection-specific DNS suffix.
 TTL set in the A and PTR records
Specifies the value for the Time-To-Live (TTL) field in A and PTR
resource records registered in the computers to which this setting
is applied.
 Update security level
Specifies whether the computers to which this setting is applied
use secure dynamic update or standard dynamic update to
register DNS records.
 Update top-level domain zones
Specifies whether the computers to which this policy is applied
may send dynamic updates to the zones named with a single label
name--also known as top-level domain zones, for example, com.
 DNS Security Extensions

 DNSSEC allows RR’s and zones to have integrity

and encryption.
 Zones and round robins (RR) are signed with a
private key.
 Windows Server 2003 only provides basic
support:
– Can only act as secondary zone.
– Cannot sign zones or resource records.
 DNS server sends both signed and unsigned
records in response to a query.
 Windows Server 2003 client does not
authenticate records; it simply passes them to
the application.
 New DNSSEC Records
 KEY: Public key resource record
– Contains the public key.
 SIG: Signature resource record
– Contains the signature.
 NXT: Next resource record
– Enables the DNS server to inform the
client that a particular domain does not
exist.
 DNS Extension Mechanism
 OPT Resource Record
 As described in RFC 2671, EDNS0 uses an
OPT pseudo-RR that is added to the
additional data section of either a DNS
request or a DNS response to indicate the
sender’s ability to handle the extended
DNS protocols.
 It is called a pseudo-RR because it pertains
to a particular transport level message
and not to any actual DNS data.
 OPT RR’s are never cached, forwarded,
stored in, or loaded from zone files.
 DNS Extension Mechanism

 Allows DNS server to send User

Datagram Protocol (UDP) packets
larger than 512 bytes.
 UDP length is defined in the OPT RR
that is part of a DNS query.
 ENDS0 support is server-side, not
client-side.
 EDNS0 cache: Caches support hosts
for one month.
 DNS Logging Enhancements

 Debug Logging: Most logging options

have not changed but the graphical user
interface (GUI) has been updated to make
it much easier to configure logging for
troubleshooting purposes.
 Enable filtering based on the IP
address: Provides additional filtering of
the packets to be logged based on IP
address.
 Event Logging tab: Controls the level of
events logged.
Event and Debug Logging
Tabs
 Round Robin Update

 You can now specify that certain RR

types are not to be round-robin
rotated.
 This is modified using a registry entry
called DoNotRoundRobinTypes with a
string value containing a list of RR
types.
 The registry is located at
HKLM\System\CurrentControlSet\Serv
ices\DNS\Parameters\DoNotRoundRo
 Active Directory Domain
Rename Behavior
 Found in the Rendom.exe tool.
 The DC Locator records associated with
the new name are pre-published in the
authoritative DNS servers by the netlogon
service running on the domain controllers
of the domain:
– CNAME<DsaGuid>._msdcs.<DnsForestName>
– SRV_ldap._tcp.pdc._msdcs.<DnsDomainName
>
– SRV_ldap._tcp.gc._msdcs.<DnsForestName>
– SRV_ldap._tcp.dc._msdcs.<DnsDomainName>
 Rendom.exe

Verifies the integrity of the domain.

This includes the ability to verify the
presence or absence of DC Locator
resource records on authoritative
DNS servers.
 Resource Records Affected by
a Domain Rename
 CNAME<DsaGuid>._msdcs.<DnsForestName>
There must be one CNAME record associated with every domain controller
in all authoritative DNS servers. This ensures that replication will take
place from that domain controller.
 SRV_ldap._tcp.pdc._msdcs.<DnsDomainName>
There must be one SRV record pertaining to the PDC on all authoritative
DNS servers. This ensures the functioning of authentication of users and
computers.
 SRV_ldap._tcp.gc._msdcs.<DnsForestName>
There must be at least one record pertaining to at least one GC on all
authoritative DNS servers. This ensures the functioning of authentication
of users and computers. For example, one DNS server may contain a
record of this type registered by one GC, while other DNS servers may
contain the records of this type registered by other GCs. It is temporarily
sufficient, if there is at least one record of this type present on all
authoritative DNS servers. The other records will eventually replicate to
all authoritative DNS servers.
 SRV_ldap._tcp.dc._msdcs.<DnsDomainName>
There must be at least one record pertaining to at least one domain
controller on all authoritative DNS servers. This ensures the functioning of
authentication of users and computers. For example, one DNS server may
contain a record of this type registered by one domain controller, while
other DNS servers may contain the records of this type registered by other
domain controllers. It is temporarily sufficient if there is at least one record
of this type present on all authoritative DNS servers. The other records will
 Acknowledgements
 Microsoft employee
 Jeff Bryant, Beta Technology Support Professional, Microsoft Corporation

 Microsoft internal specifications

 Automatic configuration of DNS client during installation of a local DNS server by
DCpromo, Levon Esibov, and others
 Group Policies for DNS Client, Levon Esibov, and others
 Domain Based Forwarding, Levon Esibov, and others
 Logging Enhancements, Levon Esibov, and others
 Stub DNS Zones, Levon Esibov, and others
 DNS Update API Enhancements – Resolve the Island Problem, Levon Esibov, and
others
 DNS Zones stored in NDNC, Levon Esibov, and others
 Store DNSSEC records, Levon Esibov, and others
 EDNSO, Levon Esibov, and others
 Verification of Resource Records crucial to authentication and replication during
Domain Rename, Kamal Janardhan, and others

 Other publications
 Windows .NET DNS Help and preliminary Windows .NET Server Resource Kit DNS
chapters, Michael Cretzman.
 Windows.NET Server DNS Whitepaper v.61, Steve Hahn, BTS