Microsoft Server windows 2000 DNS User Manual Page 1

Operating SystemWindows 2000 DNSWhite Paper AbstractThis paper describes the Microsoft® Windows® 2000 operating system Domain Naming System(DNS), incl

superceded by RFC 1034 (Domain Names–Concepts and Facilities), and RFC 1035(Domain Names–Implementation and Specification). RFCs that describe DNSsecu

comedu gov mil microsoftmydomainmitManaged by NRegistration Authority Managed byMicrosoftwhitehousearmyint/net/orgMicrosoft DiDNS and InternetThe Int

Description Class TTL Type DataStart of Authority Internet (IN) Default TTL is60 minutesSOA Owner Name,Primary Name ServerDNS Name, SerialNumber,Refre

• A need to delegate management of a DNS domain to a number oforganizations or departments within an organization• A need to distribute the load of ma

The changes made to the primary zone file are then replicated to the secondaryzone file. As mentioned above, a name server can host multiple zones. A

or a successful response. Resolvers typically make recursive queries. With arecursive query, the DNS server must contact any other DNS servers it need

www.whitehouse.gov:• Recursive query for www.whitehouse.gov (A RR)• Iterative query for www.whitehouse.gov (A RR)• Referral to the gov name server (NS

• Incremental Zone Transfer (IXFR)• Dynamic Update and Secure Dynamic Update• Unicode Character Support• Enhanced Domain Locator• Enhanced Caching Res

Each Active Directory service object has attributes associated with it that defineparticular characteristics of the object.The classes of objects in t

Note: Only DNS servers running on domain controllers can load DS integratedzones.The Replication ModelSince DNS zone information is now stored in Acti

© 1999 Microsoft Corporation. All rights reserved.The information contained in this document represents the current view of MicrosoftCorporation on th

Note that only DNS server supports the Secure Dynamic Updates for the DS-integrated zones. Windows 2000 implementation provides even finer granularity

The following diagram details the incremental transfer mechanism.Master DNSServerSlave DNSServer 1Serial Number 11Serial Number 10Serial Number 8IXFRS

protocols, rendered manual updating of DNS information insufficient and unusable.No human administrator can be expected to keep up with dynamic addres

The dynamic update algorithm differs depending on the type of client networkadapter engaging in the dynamic update process. The following three scenar

client’s PTR RR. Also, the DHCP server will remove the corresponding A records ifconfigured to ”Discard forward lookups when leases expire.”Statically

algorithm defined in the Internet Draft “GSS Algorithm for TSIG (GSS-TSIG).” Thisalgorithm is based on the Generic Security Service Application Progra

In step 1, the client queries the local name server to discover which server isauthoritative for the name it is attempting to update, and the local na

however, can be changed through the registry.Controlling Update Access to Zones and NamesActive Directory controls access to the secure DNS zones and

DNS Admins GroupBy default the DNS Admins group has full control of all zones and records in aWindows 2000 domain in which it is specified. In order f

• Which zones can be scavenged• Which records must be scavenged if they become staleThe DNS server uses an algorithm that ensures that it does not acc

WHITE PAPER ...1CONTENTS...

Aging and Scavenging Parameters for ZonesZone Parameter Description Configuration Tool NotesNo-refresh interval Time interval, after the lasttime a re

The table below lists the server parameters that affect when records are scavenged.You set these parameters on the server.Aging and Scavenging Paramet

Record Life SpanThe Figure below shows the life span of a scavengeable record.When a record is created or refreshed on an Active Directory–integrated

the record at that time. The time at which records are scavenged depends onseveral server parameters.Scavenging AlgorithmThe server can be configured

Usually, the DHCP service requires the longest refresh interval of all services. If youare using the Windows 2000 DHCP service, you can use the defaul

zone file. Administrators should exercise caution when transferring a zonecontaining UTF-8 names to a non-UTF–8-aware DNS server.The Domain LocatorThe

Collect the following info:DNS Domain Name,Domain GUID,Site Name.Did client find DNS DomainName or Domain GUID?FinishNoYesCallWindows NT 4compatibleLo

The description of the Windows NT 4 Compatible Domain Locator has beenomitted, since it is irrelevant to the DNS and is described in “Windows 2000 Dom

_ldap._tcp.<SiteName>._sites.<DnsDomainName>.Allows a client to find an LDAP server in the domain named by <DnsDomainName>and is in

All DCs providing the Kerberos service will register this name. This service is atleast an RFC-1510 compliant Kerberos 5 KDC. The KDC is not necessari

Dynamic Update...15Protocol Description...

IP/DNS DC Locator AlgorithmThe IP/DNS DC Locator algorithm is executed in the context of the NetLogonservice, (typically) running on the client. The a

Send a DNS queryspecifying one of thecriteria specific DNShost namesDoes the DNS queryresponse contain atleast one DC?Quit indicatingthe reasonNoAmong

A client might have multiple network adapters and thus might have multiple IPaddresses. That could theoretically put the client in multiple sites. The

computer, the same rule is applicable to every adapter separately. This featureis enabled by default. It can be disabled through the Registry. Name Re

resolution. The following summarizes the name resolution algorithm:• The query is issued to the lead server on the preferred adapter's server lis

• The query is processed as a fully-qualified query.• If the result is a positive response, the response is returned to the caller.• If the result is

• The response is returned to the client.Name Resolution ScenariosThis section provides name resolution scenarios for a multi-homed machine usingunqua

• negative response• query t1 for boguz.dns.microsoft.com.• negative response• query e1 for boguz.dns.ntlab.microsoft.com.• negative response• query t

Registry key HKEY_Local_Machine\System\CurrentControlSet\Services\DNSCache\Parameters.Disabling the Caching ResolverThere are two ways to disable the

hardware components can provide information and notification of events. WMIsimplifies the instrumentation of various drivers and applications written

Internet Access Considerations...46Characters in Names...

Receiving Non-RFC Compliant DataIf a Windows 2000 server supports a secondary zone and receives unknownresource records, then it drops such records an

Hardware components SizingNumber of processors TwoProcessor Intel Pentium II 400 MHzAmount of RAM 256 MB (megabytes)Hard disk drive space 4 GB (gigaby

namespace and DNS architecture to support it, and then revising the ADS and DNSdesign if unforeseen, or undesirable consequences are uncovered.The Win

strongly discouraged, since it may lead to the ambiguity in name resolutionprocesses.In this section the focus is on the design of the private namespa

The following DNS configuration and name resolution scenarios are considered indetail with overlapping internal and external namespaces, since it is t

zone, that is, zzz.com., must also contain the zones containing all (internal andexternal) names of the merged companies.Now take a look at a private

External world / Global Nezzzrk YYY corporationZZZ corporationYYY corporationZZZ corporationVPNVPNProxy ServerFirewall A DNS Server, Firewall, VPN or

forwards the query to the DNS server containing the zzz.com. zone (Step 2). Thisserver finds a delegation to the third.zzz.com. in the zzz.com. zone.

(Step 8). The DNS server returns the response to the proxy server (Step 9). Finally,the proxy server uses the obtained IP address of www.someother.com

Now consider an interesting case of a corporate computer that needs to resolve anexternal name of a computer from its own company.A computer in the YY

A computer in the ZZZ Corporation needs to resolve a DNS query for www.zzz.com.It submits the query to the assigned DNS server (Step 1). If its cache

First it finds that the name myname.zzz.com. is internal, based on the PAC file.Therefore, it submits a query to the assigned DNS server (Step 1). If

a full DNS computer name, which is a concatenation of Host name and primaryDNS suffix. The primary DNS suffix is part of the base machine configuratio

Active Directory Domain: MyCompany.com Host name: MyComputerPrimary DNS suffix –MyCompany.com Full computer name : MyComputer.MyCompany.com Public

If existing DNS tree is implemented by Windows NT 4.0 DNS, the solution is toupgrade the Windows NT 4.0 DNS servers to the Windows 2000 implementation

Do you have DNS Design/DeployWindows 2000DNS TopologyYesNo OverlapFinishWhat is your DNS Naming platform & topology? Windows NT 4 DNS in PlaceUpg

secondary zones can be upgraded to DS integrated zones. At this point non-Microsoft DNS servers can be safely retired and removed from the network.Dep

Using Automatic ConfigurationThe Windows 2000 implementation of DNS offers a DNS Server Configurationwizard, which greatly simplifies the DNS server i

In the picture above, a WINS referral zone called wins.mydomain.microsoft.com.has been created and pointed to the WINS database. Assume that a Windows

• Enhanced Caching Resolver Service • Enhanced DNS ManagerTo properly deploy DNS in the Windows 2000-based environment, it isrecommended to start with

The designers of the Microsoft ® Windows® 2000 operating system chose theDomain Name System (DNS) as the name service for the operating system.Windows

UCS-2–Also known as Unicode is a character encoding protocol.UTF-8–A character encoding protocol, specified in RFC 2044WINS–Windows Name System (WINS)

Name Services in Windows 2000DNS is the name service of Windows 2000. It is by design a highly reliable,hierarchical, distributed, and scalable databa

• Draft-skwan-gss-tsig-04.txt (GSS Algorithm for TSIG (GSS-TSIG) )For more information on these documents, go to http://www.ietf.org/.In addition to t