Tip – Background Zone Loading, New Functionality in Win Server 2008 DNS

Microsoft has changed the way DNS loads zone data into memory. Sometimes the DNS server can take an hour or more to load the data with extremely large zone data stored in the Active Directory Services. The result is that the DNS server is unable to serve the client’s requests in a timely fashion.

Read more here…

http://www.serverwatch.com/tutorials/article.php/3778316

Tip – ‘GlobalNames’ Zone, A DNS Feature in Windows Server 2008

Many Microsoft customers are still using WINS in their networks. WINS is often used as a secondary name resolution protocol for NetBIOS names. WINS uses NetBIOS Over TCP/IP (NBT) for name resolution. Organizations still use WINS because they like having the static names for their enterprise servers.

Read more here…

http://www.serverwatch.com/tutorials/article.php/3769461

DNS works on Both TCP and UDP why?

In interview, I have been asked many times – on which protocol DNS works? I say: TCP and UDP both. They ask: why it works on both protocols…that’s it! I say: sorry cound’t answer this question but I know that it works on both protocols. Here is the answer I have retreived from many resources on the web. The answer is very simple: TCP is a connection-oriented protocol and it requires data to be consistent at the destination and UDP is connection-less protocol and doesn’t require data to be consistent or don’t need a connection to be established with host for consistency of data.

UDP packets are smaller in size. Can’t be greater then 512 bytes. So any application needs data to be transffered greter than 512 bytes uses TCP 

We often discuss why services use both the protocols i.e. TCP and UDP. These services can also realy on TCP instead of UDP because TCP is a connection-oriented protocol whereas UDP is connection-less! then why use UDP?

For example, DNS uses both TCP and UDP for valid reasons described below. Note that UDP messages are not larger than 512 Bytes and are trucncted when greater than this size. So DNS uses TCP for Zone transfer and UDP for name queries either regular (primary) or reverse. UDP can be used to exchange small information whereas TCP must be used to exchange information larger than 512 bytes. If a client doesn’t get response from DNS it must retransmit the data using TCP after 3-5 seconds of interval.

We all know that there shouldn’t be any inconsistency in DNS zones – to make this happen DNS always transfer Zone data using TCP because TCP is reliable and make sure zone data is consistent by transffering the full zone to other DNS servers who has requested the data.

Shouting more on this…

The problem occurs when Windows 2000 server and Advanced Server products uses Dynamic ports for all above 1023. In this case your DNS server should not be internet facing ie. doing all standard queries for client machines on the network. The router (ACLs) must permitted all UDP inbound traffic to access any high UDP ports for it to work.

Now talk about LDAP. It always uses TCP – this is true and why not UDP. because a secure connection is established between client and server to send the data and this can be done only using TCP not UDP. UDP is only used when finding a domain controller (Kerberos) for authentication.

Which DNS Server should you use ?

 

The DNS which ships with Windows 2000/2003 server.

Advantages:

1. DNS supports Dynamic registration of SRV records registered by a Active Directory server or a domain controller during promotion. With the help of SRV records client machines can find domain controllers in your network.

2. DNS supports *Secure Dynamic updates*. Unauthorized access is deniend.

3. Exchange server needs internal DNS or AD DNS to locate Global Catalog servers.

4. AD-Integrated Zone. If you have more than one domain controller (recommended) you need not worry about zone replication. AD-replication will take care of DNS zone replication also.

5. If you use DHCP with AD no other DHCP will be able to service client requests comming from different network. It’s because DHCP server is authorized in AD.

Moreover, you can use NT4 DNS with Service Pack 4 or later. It supports both SRV and Dynamic Updates.

So for BIND DNS you must be running atleast 4.9.7 version which supports SRV and meets the minimum requirements for Active Directory Support. However, BIND 8.2.1 and later support dynamic updates and incremental zone transfers, in addition to the SRV records.

Based on the tests performed by various vendors and Microsoft, the recommended BIND version that proves to work best with Active Directory is BIND 8.2.2. Keep in mind that BIND DNS servers do not support Active Directory integrated zones—-So basically this is the difference between using MS DNS and External DNS to support Active Directory. In addition to SRV and Dynmaic Support, replication is also effected if you create an AD-Integrated Zone which can replicate with Directory Replication and no overehead of planning for DNS Replication. BINDs are limited to primary and secondary zones.

So using MS DNS gives the following benefits: –

If you implement networks that require secure updates.

If you want to take benefit of Active Directory replication.

If you want to integrate DHCP with DNS for Low-level clients to register their Host records in MS DNS.

MS support for DNS is better than external DNS servers.

Many articles have been written on MS DNS+Active Directory (Troubleshooting articles)

Have a look at these articles:

Active Directory design consideration:
http://www.windowsnetworking.com/articles_tutorials/Active-Directory-Design-Considerations-Small-Networks.html

DNS and Active Directory:
http://www.windowsitpro.com/Windows/Article/ArticleID/21128/21128.html

Securing DNS by design:
http://www.windowsecurity.com/articles/Securing_Windows_2000_DNS_by_design_Part_1.html

Frequently asked questions about DNS
http://support.microsoft.com/kb/291382/

When it is safe to remove DNS Server (Active Directory Integrated)

 

Not necessarily all points only No. 2 applies to Primary Server.

I have posted basic guidelines for removing DNS server from the network.

Here is a list of points for your review:

You can safely remove any DNS server running in your network BUT you should not if the following conditions are true:

1. If this DNS server is authoritative for a Active Directory domain or DNS Domain Zone.

If you remove any DNS server that is authoritative for any domain zone configured in your network. It will remove the SRV records from zone and connectivity to domain controllers through DNS server.

2. If this is the primary DNS Server and you have configured rest of DNS servers on other DCs to work as secondary DNS Servers then you should not remove this DNS server. Doing so will cause replication failures. Secondary servers will be inoperable.

3. If any domain is delegated under this DNS server.

4. If this DNS server contains the SOA records for other authoritative DNS Server for zone.

5. Your clients are configured to use this DNS server. Removing this DNS server from operation will cause problems,

clients won’t be able to log on to network or find domain controllers.

The above are the basic guidelines to consider while removing a DNS server from your network.

Active Directory Naming information for domain couldn’t be found

 

Sometimes when you open one of the Active Directory tools you get error message “Naming information couldn’t be contacted“:

Active Directory Users and Computers

Active Directory Trusts and Domains

Active Directory Sites and Services

Domain Security Policy

Domain Controller Security Policy

Schema Admin

This happens because of the following reasons:

1. SRV records for Active directory domains are not registered in DNS Domain Zone.

2. DNS Server couldn’t be contacted for some reason.

3. AA Host records for Domain Controller is missing in DNS Zone.

4. Netlogon service on Domain Controller has been stopped.

5. Domain Controller is pointing to a wrong DNS Server.

6. Domain Controller is pointing to a DNS Server which is far away from DC.

7. DNS Server can’t be contacted because of network congessions.

8. Heavy use of Domain Controller when DNS Client sends a request to DNS Server to find out domain information.  For example: If an application is running which is using a service account that is sending DNS Query to DNS Server frequently.

Your DNS zone should look like below for SRV Records:

DNS
   |–ServerName
   |—–Forward Lookup Zones
   |———-domain_name.local
   |             |   _sites
   |             |     |    |
   |             |     |   Default-First-Site-Name
   |             |     |         |
   |             |     |       _tcp————— _ldap [SRV]: 0:100:389: server_name.domain_name.com.
   |             |     |                                  _gc [SRV]: 0:100:3268: server_name.domain_name.com
   |             |     |                                  _kerberos [SRV]: 0:100:88: server_name.domain_name.com
   |             |     |      
   |             |    _tcp———————- _ldap [SRV]: 0:100:389: server_name.domain_name.com.
   |             |     |                                 _gc [SRV]: 0:100:3268: server_name.domain_name.com
   |             |     |                                 _kerberos [SRV]: 0:100:88: server_name.domain_name.com
   |             |     |                                 _kpasswd [SRV]: 0:100:464: server_name.domain_name.com
   |             |     |        
   |             |    _udp——————–  _kpasswd [SRV]: 0:100:464: server_name.domain_name.com.
   |             |     |                                _kerberos [SRV]: 0:100:88: server_name.domain_name.com.

You must have the above SRVs registerd in DNS zone so that AD Tools can get the list of domain controllers available in domain by executing DcGetDcName API call.

These are the basic guidelines for DNS and TCP/IP Configuration on a server:

1. On DC or DNS server: Make sure DNS server is pointing to server IP address.

2. Make sure Dynamic or Secure Dynamic update is enabled on authoritative Zone.

3. Make sure SOA record in DNS zone is pointing to correct DNS server IP Address.

4. Issue Ipconfig /registerdns from command prompt to register A records of server in zone.

7. If there are two LAN cards make sure Internal NIC of the server is listed first in Binding Order.

DNS and Active Directory best practices.

 

1. DNS is pointing to itself in TCP/IP property.

2. You have configured Forwarders tab in DNS Server property to access Internet.

3. You have checked the box “Register this connection in DNS” in TCP/IP property.

4. SOA RR entry is pointing to the same DNS Server address. Expand Forward Lookup Zone > domain_name.com and then in Right Pane find the SOA and NS records and make sure they are configured to use this DNS Server’s IP Address.

5. If you have *two NICs* make sure DNS is only *listening* on the LAN Interface.

6. Issue Ipconfig /registerdns command in Domain controller.

7. Remove if you have configured your Internal NIC to use ISP DNS server address.

8. And also make sure DNS Dynamic update is enabled on DNS Zone.

9. Make sure clients are configured to use Domain_name.com suffix.

This DNS server won’t forward requests to ISP DNS server until it is configured to do so. You need to configure this server using Forwarders tab in DNS Server property.

Ref:

For Internet access:

For internet access, delete the root zone on your DNS in your forward lookup zones. Then open the properties page of your DNS server and configure forwarders to point to your ISP’s DNS.

Using Forwarders in DNS: –

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/1cd13da9-ed0a-4814-b0bb-

e46e8ac1e321.mspx

Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382
Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/?kbid=825036
HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows 2000
http://support.microsoft.com/?kbid=316341
HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/?kbid=300202

Troubleshooting Common Active Directory Setup Issues in Windows 2000
http://support.microsoft.com/?kbid=260371

10 DNS Errors That Will Kill Your Network
http://www.mstraining.com/misc/10_dns_errors_that_will_kill_you.htm
Troubleshooting Active Directory DNS Errors in Windows 2000
http://www.microsoft.com/windows2000/dns/tshoot/dns_tshoot2A.asp
Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382
Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/?kbid=825036
SRV Resource Records May Not Be Created on Domain Controller
http://support.microsoft.com/?kbid=239897
How to Verify the Creation of SRV Records for a Domain Controller
http://support.microsoft.com/?kbid=241515
How Domain Controllers Are Located in Windows
http://support.microsoft.com/?kbid=247811
How Domain Controllers Are Located in Windows XP
http://support.microsoft.com/?kbid=314861
HOW TO: Configure DNS for Internet Access in Windows Server 2003
http://support.microsoft.com/?kbid=323380
HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003
http://support.microsoft.com/?kbid=816567

Determining the Server GUID of a Domain Controller
http://support.microsoft.com/?kbid=224544
GUID Records Are Not Registered If MX Record with Wildcard Character Is Present
http://support.microsoft.com/?kbid=325208
Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382
Windows 2000 DNS and Active Directory Information and Technical Resources
http://support.microsoft.com/?kbid=298448
Setting Up the Domain Name System for Active Directory
http://support.microsoft.com/?kbid=237675
HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows 2000
http://support.microsoft.com/?kbid=316341
HOW TO: Configure DNS for Internet Access in Windows 2000
http://support.microsoft.com/?kbid=300202