9. Background Information

With this option, the central DNS servers continue to manage most of the DNS registrations for clients in your domain, including the host (A) records for your domain controllers. You should continue to register the names and IP addresses for your domain controllers, servers and clients in the usual way using the Interface for Host Updates page, linked from the OUCS DNS page.

However the main records used to locate Active Directory services are stored in Active Directory-specific subdomains which are managed by DNS running on your Windows servers (normally on the domain controllers). These subdomains are
  • _tcp.unitDNSname.ox.ac.uk
  • _udp.unitDNSname.ox.ac.uk
  • _sites.unitDNSname.ox.ac.uk
  • _msdcs.unitDNSname.ox.ac.uk
  • DomainDnsZones.unitDNSname.ox.ac.uk
  • ForestDnsZones.unitDNSname.ox.ac.uk

The last two on the list are not used by Windows 2000-only domains.

The zones in the list above should be configured as Active Directory-integrated and to allow secure dynamic updates. The central DNS servers do not allow dynamic updates, so this method gives a good balance between convenience and security.

One set of records cannot be registered using this method and these are the host records for the domain itself. Each domain controller will normally register this record to resolve to itself. Generally the lack of this record does not cause problems; however there are a couple of scenarios where it may. Refer to the Known Issues section for further details.

9.1. Further Information

In Active Directory, domain controllers needs to register various services in the DNS in order that other domain controllers, servers and clients can locate them and the services they offer. The main records that are needed for an Active Directory domain called unitDNSname.ox.ac.uk are Service (SRV) Resource Records that are registered in the various subdomains listed above.

There are normally at least 20 or so of these records per domain controller, and some of them are very long and involve GUIDs. The records registered will change with certain operations such as changing global catalog servers and adding domain controllers. Windows servers can register these records dynamically, and because of the number of records and the potential for changes, there is less room for error if domain controllers at least are allowed update the records themselves.

For security reasons the main Oxford DNS servers will not allow the dynamic updating of records, so early discussions of interested parties within the University decided that for any unit installing Active Directory, the main DNS servers would delegate responsibility for the subdomains shown above (i.e. _tcp, _udp, _sites etc.) to one or two DNS servers installed in that unit. The unit should then configure domain controllers for their Active Directory domain to use the locally installed DNS servers, which will enable them to update their DNS entries dynamically.

The following diagram shows the various subdomains for unit.ox.ac.uk and the DNS servers that will be responsible for each.

DNS server and domain arrangement

Note that while the local DNS server can be installed on a member server, installing onto a domain controller allows the DNS lookup zones to be Active Directory-integrated, which has two main advantages. Firstly, enhanced security features can be used; for example dynamic updates can be restricted to computers that are members of the domain. Secondly, if you add a second DNS server on another domain controller for fault tolerance, you only need to configure the zones on the first server, not the second, as the zones and records are replicated automatically between domain controllers.

Up: Contents Previous: 8. Additional Points to Note Next: 10. Appendix: How to Create and Configure a Zone