 Hello
Readers!
If you've opted to use Microsoft's Active Directory on your
network, then you probably already realize how important DNS
is to your system. It can be tricky to configure, however, and
if you do it incorrectly you could end up with a real mess on
your hands. If you're having DNS troubles, or just in the planning
phases of Active Directory, read today's article by Rainer Gerhards
for some invaluable tips on how to include a DNS on your network
the right way - the first time. Enjoy the article!
 |
| SiteScope® 25 Point Package Now Available - Click
Here |
Active Directory and DNS
by Rainer Gerhards
Microsoft's Active Directory relies heavily on DNS. DNS is
used to find important resources like domain controllers.
Because these in turn are needed to authenticate users, Windows
2000 will not work properly without a correctly configured DNS.
Unfortunately, Microsoft has decided to use very new standards
in its DNS. The Windows 2000/XP environment relies on options
like dynamic DNS and - to some degree - Unicode characters in
DNS records. While most of these are open standards, they are
seldom used outside of the Microsoft environment. So in reality,
only the Microsoft DNS server will ensure proper and hassle-free
DNS operation. And when I say Microsoft DNS, I mean the one
that comes with Windows 2000 or newer operating systems - the
Windows NT 4 DNS server won't help much.
This article describes Microsoft's approach, the issues with
that approach, and how to work around them.
Why does Windows 2000 need DNS?
Microsoft has decided to build Active Directory on top of open
standards. DNS is *the* Internet standard for resource location.
However, so far it has mostly been used to resolve host names
to IP addresses. Typically, it is used to get the IP address
of the host with name, e.g. www.windows-expert.net,
so that a browser can technically connect to that machine.
However, DNS is more than an IP address resolver. DNS is a distributed
database of so-called resource records. There are many resources
besides IP addresses; most notable are name servers or mail
exchangers (a.k.a. mail servers). A relatively new record is
the so-called service (SRV) record. That one is used to describe
services residing on a machine - for example, a domain controller
service. SRV records are an open standard. They are not only
supported by Microsoft but also other vendors. However, other
vendors' support is limited and only available in current releases.
The widespread used BIND (Berkley Internet Name Daemon) DNS
server - the de-facto standard under Unix - must have at least
version 8.1.2. If it is an older version, problems will arise
almost instantly.
Active Directory uses SRV records to locate any and all services.
Not only is the domain controller detected by SRV records, they
also point to global catalog servers and other important services.
Windows 2000 must be able to resolve references to these services.
Otherwise, it will fail. Correct DNS records are of utmost importance
for a healthy Active Directory.
What is DDNS?
So how do these (numerous) entries find their way to the DNS
database? The typical answer so far: a system administrator
has manually entered them into it. If you have a look at the
number of entries that Active Directory depends on - and their
change rate - this is not really a practical answer. Especially
if you take a look at all clients (e.g. Windows 2000 Professional
and Windows XP Professional) that of course need to be registered
in DNS, too.
Clearly, an automatic solution is needed. Fortunately, there
is DDNS, the "dynamic" DNS. That standard enables systems to
automatically enter their DNS records into the server's database
themselves. For example, a newly installed Windows 2000 server
registers its IP addresses into DDNS as well as the SRV-records
for any services running on it. Manual entries do not need to
be made.
Sound like a perfect solution? Well, what on this world is perfect...
First of all, the number of DNS servers supporting DDNS is limited
(especially the number of the ones that work well...). Secondly,
and that is even worse, DDNS has a number of security weaknesses.
So you are typically limited in your options and will need to
carefully evaluate if you would like to have DDNS running as
your Internet (external) DNS server.
But be aware - DDNS is really a life-safer in the Active Directory
context and its problems can be worked around. Practically,
we recommend using the Windows 2000 DDNS server instead of any
third party product. Fortunately, that server can be neatly
integrated into existing DNS infrastructures. Just ensure that
Windows 2000, XP or other Active Directory systems only use
DDNS servers. Theoretically, you can also use a non-dynamic
DNS server (one with manual database entries). But we recommend
this option only if you absolutely do not know how to fill all
of that spare time...
So what does this mean in Reality?
Active Directory dependence on DDNS has some clear results:
A Windows 2000 server without Active Directory can be
used with any DNS server without any problems. For example,
you can use your ISP's DNS server (as is often done). However,
if Active Directory is installed on that very same machine,
you should point it to one of the Active Directory domain's
DDNS servers. Unless, again, you have lots of spare time...
Unfortunately in many cases the previous DNS settings are preserved.
This most often happens during an upgrade from NT 4 DC to Windows
2000. Because the previous DNS server does not support DDNS,
the upgraded Windows 2000 domain controller can not register
itself into it. If that is the case, the Active Directory DC
logs an error message to the Windows event log. However, most
users (and even most admins) do either not see that message
or can not interpret it correctly (it is a bit cryptic if you
don't know the exact specifics).
Once this DNS problem has persisted, the real trouble begins.
Active Directory is unable to function correctly due to missing
DNS records and a other such vital resources. Unfortunately,
Windows 2000 falls back to pre-Active Directory methods for
services such as authentication, so the systems work to a certain
degree. However, all pure Active Directory functions fail, and
the Windows event log rapidly fills with more and more additional
error messages. If you try to install an additional AD DC in
this situation, it will fail - once again with a very cryptic
and hard to understand error message. In fact, the error says
that the domain does not exist - but the wizard itself displays
the domain to be present. Sound like you would be puzzled? I
bet you would!
Messages like that are a clear indication of an incorrectly
configured DNS or missing entries. In most cases, a missing
DDNS is the root cause of all the errors. In the author's personal
experience, missing DDNS or otherwise misconfigured DNS is the
number one trouble spot in Active Directory installations.
To avoid these problems, follow our #1 rule for Active Directory:
Install a working DDNS before installing your first Active
Directory server. It's easy: add a Microsoft DNS server
to the first Windows 2000 server at installation. It's just
a matter of minutes if you follow the wizard. Most wizards will
also automatically install the DNS server if you don't oppose
it. Once the DNS server is set up, the DNS zone for Active Directory
needs to be created. This is easily done with DNS manager (under
"Forward-Looking Zones").
Simply having the DNS server and DNS zone in place is not sufficient:
It needs to be used by your systems! Once again, a mistake often
occurs here. Most people tend to use their provider's DNS server,
because that is what they do all the time. But this is not an
option for Active Directory! You want to make sure you use your
own (D)DNS server. Manually, this is done via the network card's
properties:
The screenshot shows a typical Active Directory
server setup: that server is working as a DDNS server as well,
and its preferred DNS server points to itself. So it will
be able to register its DNS records and query them successfully.
By the way: all dialogs say "DNS" - read it as "DDNS" and
you will have less trouble.
In many scenarios, people have tried this setup but then lost
Internet name resolution - and then switched back to their
provider's DNS server. Don't let that fool you: the setup
here is correct. If you can't resolve Internet names after
doing so, please
read our related article on how to fix that!
Important: if you install other Windows 2000/XP servers and
workstations (Windows Professional), make sure that these
systems use your own DDNS server as well. Otherwise, they
won't see the vital Active Directory information and as such
will not work properly.
Also, ensure that you apply "old style" best DNS practices.
Specifically, have at least two DNS servers available. If
you operate a single server and that server fails (or is just
rebooted), no DNS resolution is available at all. During such
periods, network operation is seriously affected. If you have
at least two servers, that won't happen to you. In case the
first one fails, the client automatically switches to the
second one. So the screenshot above is not really an ideal
configuration - the alternate DNS server is missing.
Smooth Active Directory Installation
Once the DNS system has been correctly installed, Active Directory
installation can be carried out. Typically, this is now a painless
process. If you still experience any unexpected error messages,
the server may not yet have registered all of its records into
the DDNS. In this case, open up a commend prompt and type "ipconfig
/registerdns". Then wait another 15 minutes before continuing.
It is also a good idea to check the event log if there are any
errors.
Please note that for all actions described here no reboot is
necessary. Microsoft has really reached its goal to reduce the
number of reboots in this area.
By the way: most of the things described in this article are
done automatically when you run the Active Directory wizards
with default settings. However, many people see a need to modify
these settings. The most common trouble source is Internet name
resolution, which might not work correctly when the wizards
are run with the defaults. Please see our related
article if you experience any problems in that area.
Even if you run the wizards and accept the default settings,
checking to ensure the wizard configured the system correctly
does no harm. Instead, it can be a life-saver.
Active Directory must be carefully designed!
I would like to add one important reminder. I have written
this article after seeing numerous questions on active directory
DNS issues. Active directory is a great tool with enhanced
capabilities - but it is also very complex. If someone just
wants to try it on a home PC - or a lab machine - trial and
error may work (but will also cause lots of frustration).
If active directory is to be setup in an corporate environment
- no matter how small or how large - trial and error is definitely
not an option! Active directory requires careful design.
For a small biz it's an easy task, so long as you exactly
know what you are talking about. If you're in doubt, I recommend
going out and asking someone who knows how to do it.
Recommended Books on DNS
Originally appeared at http://www.windows-expert.net/Common/en/Articles/active-directory-and-dns.asp
Rainer Gerhards works for Adiscon,
who offers software for server monitoring. Visit www.monitorware.com
for more information and free downloads. |
|