A rchive Date
[ 04-10-2001 ]
Category
[ Information Technologies ]
sub-Categoy
[ Microsoft ]
|
[http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/deploy/prodspecs/dnsreq.asp
DNS Requirements for Deploying Active Directory
This document provides checklists for verifying sufficient resources for the Domain Name Service (DNS) infrastructure when deploying the Windows® 2000 Active Directory™ service. Alternatively, you can use the dcdiag command line tool to automatically verify whether you have the configuration described in this document. You may download the tool from http://download.microsoft.com/download/win2000platform/Update/5.0.2195.2103/NT5/EN-US/dcdiag_setup.exe.
Active Directory uses DNS as the domain controller location mechanism, enabling computers to find the IP addresses of the domain controllers. In order to find a domain controller in a particular domain or forest, a client queries DNS for the appropriate service location (SRV) and address (A) resource records. These DNS resource records provide the names and IP addresses of the domain controllers.
Therefore, the DNS server used to support Active Directory deployment must support SRV records. In addition, Microsoft highly recommends that such DNS servers also support dynamic updates. The domain controllers dynamically register DNS records necessary for the successful functionality of the domain controller location mechanism.
Checklist: running Active Directory Installation Wizard to create a first domain controller in a new forest
There are several steps you must take in order to create a first domain controller in a new forest:
1. Verify DNS resolver configuration on the server.
Check whether a network connection of this server is configured with a DNS server to which this server sends queries. If not, then configure it with the IP addresses of one or more DNS servers. If there are no DNS servers on the network then configure the network connection with its own IP address using the IP address of the DNS server—even if the DNS server is not installed. The Active Directory installation wizard will automatically install and configure the DNS server after administrator confirmation.
To configure a network connection with a DNS server to which a computer sends queries, see the section below, "To configure the DNS client with a preferred and alternate DNS server".
1. Verify that the DNS zones authoritative for the DNS resource records to be registered by the domain controller allow dynamic updates
If there is no DNS server on the network, then no verification is needed.
Otherwise find a DNS zone authoritative for resource records to be registered by this DC. The records registered by a domain controller are described in "The Domain Locator" section of the "Windows 2000 DNS" white paper located at http://www.microsoft.com/windows/server/Technical/networking/w2kdns.asp.
Note that since all of the names of the resource records registered by the Domain Controller end with the DNS name of the (Active Directory domain), usually the DNS zone authoritative for these records has the same name as the Active Directory Domain DNS name or as one of its parent DNS domains.
For example, if the Active Directory domain name is "example.reskit.com.", then the authoritative zone could be "example.reskit.com.", or "reskit.com.", or "com.", or the root zone if the network contains the private "com." or root zone.
Supporting SRV and dynamic updates
Verify that the DNS server that hosts this zone supports both the SRV resource records (per RFC 2782) and the dynamic updates (per RFC 2136) and that the zone is configured to allow dynamic updates. Windows 2000 DNS server supports the required standards. To verify zone configuration, see the section below, "To configure a DNS zone to allow dynamic updates".
Using other DNS servers
If you are not using a Windows 2000-based DNS server, contact your DNS administrator or the appropriate DNS server vendor to find out whether your server supports the required standards. If the server doesn't support the required standards or the zone cannot be configured to allow dynamic updates, you must modify the existing DNS infrastructure. For alternatives, see the "TCP/IP Core Networking Guide" in the Windows 2000 Server Resource Kit, Chapter 6, pages 364-370 and/or 429-433.
For the most common scenario of the Active Directory namespace integration into existing DNS infrastructure and the DNS configuration, see these deployment lab scenarios.
Checklist: running Active Directory Installation Wizard to create a domain controller in an existing forest
There are several steps you must take in order to create a domain controller in an existing forest:
1. Verify DNS resolver configuration on the server.
Check whether a network connection of this server is configured with a DNS server to which this server should send DNS queries. If not, you will need to configure it.
To configure a network connection with a DNS server to which this computer sends queries, see the section below, "To configure the DNS client with a preferred and alternate DNS server".
2. Verify that the records required for the promotion of the domain controller exist in DNS
Ideally, if all previously promoted DCs in this forest successfully registered DC Locator DNS records, this step would not be needed. You may skip this step and return to it if the Active Directory installation wizard fails to locate an existing Active Directory domain.
The following records must exist in DNS and be returned to the server when it sends a DNS query depending on the role to which this server needs to be promoted:
- Replica domain controller in the existing domain queries for the SRV record for _ldap._tcp.dc._msdcs. (Active Directory domain DNS name)
- First domain controller in a new child domain queries for the SRV record for _ldap._tcp.dc._msdcs. (Parent Active Directory domain DNS name)
- First domain controller in the new tree queries for the SRV record for _ldap._tcp.dc._msdcs. (Forest Root domain DNS name)
Verifying Records in DNS
In all of the previous scenarios, verify that DNS also contains the Address record for the name of the DCs specified in the data field of the appropriate SRV record.
To verify that the DNS contains the required records, you can use the DNS console or command line tool "nslookup".
For details on how to use the DNS console, see the section below, "To use DNS console to enumerate the records in a zone".
For details on using the nslookup tool, see "TCP/IP Core Networking Guide" of the Windows 2000 Server Resource Kit, Chapter 6, pages 450-454.
To determine the cause of the name resolution failure, you can run the "dcdiag" command line tool on the server to be promoted to a domain controller, using the "DcPromo" test for diagnostics. You may download the tool from <http://download.microsoft.com/download/win2000platform/Update/5.0.2195.2103/NT5/EN-US/dcdiag_setup.exe>.
Registering Records
If you discovered that the records that are supposed to be registered are not registered, then you need to fix the problem that caused the dynamic registration failure or register the required records manually. The list of records that should be registered by a domain controller are stored in the %SystemRoot%\System32\Config\Netlogon.dns file on the domain controller.
To discover why the DNS records did not register dynamically by the domain controller, you can run the "dcdiag" command line tool on such domain controller, using the "RegisterInDNS" test. You may download the tool from <http://download.microsoft.com/download/win2000platform/Update/5.0.2195.2103/NT5/EN-US/dcdiag_setup.exe>. Necessary conditions to allow dynamic registration of the DNS records by the domain controllers are listed in the next step.
3. Verify that the DNS zones authoritative for the DNS resource records to be registered by the domain controller allow dynamic updates
Find a DNS zone(s) authoritative for resource records to be registered by this DC. To check the records that are registered by a domain controller, see "The Domain Locator" section in the "Windows 2000 DNS" white paper located at http://www.microsoft.com/windows/server/Technical/networking/w2kdns.asp .
Note that since all of the names of the resource records registered by the Domain Controller end with the DNS name of the (Active Directory domain), usually the DNS zone authoritative for these records has the same name as the Active Directory Domain DNS name or as one of its parent DNS domains. For example, if the Active Directory domain name is "example.reskit.com.", then the authoritative zone could be "example.reskit.com.", or "reskit.com.", or "com.", or the root zone if the network contains the private "com." or root zone.
Supporting SRV and dynamic updates
Verify that the DNS server that hosts this zone supports the SRV resource records (per RFC 2782) and the dynamic updates (per RFC 2136) and that the zone is configured to allow the dynamic updates. Windows 2000 DNS server supports the required standards. To verify zone configuration, see the section below "To configure a DNS zone to allow dynamic updates".
Using other DNS servers
If you are not using a Windows 2000-based DNS server, contact your DNS administrator or the appropriate DNS server vendor to find out whether your server supports the required standards. If the server doesn't support the required standards or the zone cannot be configured to allow dynamic updates, you must modify the existing DNS infrastructure. For alternatives, see the "TCP/IP Core Networking Guide" in the Windows 2000 Server Resource Kit, Chapter 6, pages 364-370 and/or 429-433.
For the most common scenario of the Active Directory namespace integration into existing DNS infrastructure and the DNS configuration, see these deployment lab scenarios.
Common operations
To configure the DNS client with a preferred and alternate DNS server:
1. Click Start, point to Settings and then click Control Panel.
2. Double-click Network and Dial-up Connections.
3. Right-click Local Area Connection, and then click Properties.
4. Click Internet Protocol (TCP/IP), and then click Properties.
5. Select Use the following DNS server addresses.
6. In the "Preferred DNS server" textbox specify the IP address of the DNS server that this computer should send DNS queries to. Usually this is an existing DNS server within the same site. If this computer sends queries to the DNS server that is running on this computer, then specify the IP address of this computer. Optionally specify an IP address of another DNS server that this computer should send the queries to if the Preferred DNS server doesn't respond in the "Alternate DNS server" textbox.
7. If a DNS server is (or will be) running on this computer, it is strongly recommended to configure a computer with static IP address. To do so select the Use following IP address radio button and specify the static IP address, subnet mask, and default gateways IP address in the IP address, Subnet Mask and Default gateway textboxes, respectively.
8. Click OK to close the Advanced TCP/IP Settings properties.
9. Click OK to accept the changes to your TCP/IP configuration.
10. Click OK to close the Local Area Connections properties.
To configure a DNS zone to allow dynamic updates:
1. Click Start, point to Programs, point to Administrative Tools, and then click DNS.
2. In DNS Console, expand the DNS Server that contains the authoritative zone. Expand the Forward Lookup Zones folder.
3. Right-click the zone of interest, and then click Properties.
4. On the General tab, click to select the Secure only (recommended) or Yes Allow Dynamic Update? menu, and then click OK to accept the change.
To use DNS console to enumerate the records in a zone:
1. Click Start, point to Programs, point to Administrative Tools, and then click DNS.
2. In DNS Console, expand the DNS Server that contains the zone to be viewed. Expand the Forward Lookup Zones folder.
3. Expand the zone of interest. The right pane contains those records of the zone that have the name that is immediate subdomain of the DNS zone name. For example, "child.reskit.com" is the immediate subdomain of the reskit.com zone, while "grandchild.child.reskit.com" is not an immediate subdomain of the reskit.com.
4. If the record that you are looking for is not an immediate subdomain of the zone, then expand the folder with the name matching the label of the record name that follows the zone's name. In the previous example, the folder's name would be "child". Continue expanding folders corresponding to the following labels of the record's name until you find the record or discover that the records do not exist.
Frequently Asked Questions
1. Q: My DNS server contains the required records but other computers still can't locate the domain controller. Why?
A: It is most likely that your parent zone doesn't contain delegation to a child zone. For example, you created zone "ActiveDirectory.reskit.com." on a DNS server running on the domain controller but the zone "reskit.com." loaded on another DNS server doesn't contain the delegation [that is Name Server (NS) and usually Address (A) resource records].
2. Q: I installed a DNS server on a domain controller and configured it with a zone corresponding to a name of the Active Directory domain, such as "ActiveDirectory.reskit.com", but the domain controller still fails the dynamic registration of the DNS records. Why?
A: If your domain controller's network connection is configured with other than a local DNS server, then it is most likely that the parent zone doesn't contain delegation to a child zone. For example, you created zone "ActiveDirectory.reskit.com" on a DNS server running on the domain controller but the zone "reskit.com" loaded on another DNS server doesn't contain the delegation [that is, Name Server (NS) and usually Address (A) resource records].
3. Q: Do I have to use Microsoft DNS server?
A: No, you may use any DNS server running on any OS as long as the DNS server supports SRV records. We also strongly recommend using a DNS server that supports the dynamic updates (per RFC 2136). Windows 2000 DNS server supports both of these features.]
|