1. Before you Begin

If you are setting up a new domain, you need to decide on the following information before you start.

  • The name of your domain. This must be the same as the DNS subdomain name of your unit, e.g. oucs.ox.ac.uk (OUCS), bnc.ox.ac.uk (Brasenose) etc. As most units only have one DNS subdomain allocated, the decision is easy. However if you have multiple DNS names available to your unit, you need to decide which to use.
  • If you are using the central WINS servers, pick a NetBIOS name for your domain that won't clash with any existing names (including server and workstation names). This defaults to the first part of the full domain name, up to the first ".". For the above examples the NetBIOS names would be oucs and bnc. Where possible use this name, but sometimes it may already be in use. If it is, pick other names but include part of your unit name, e.g. oucs-ad, bnc-ad, as domain names can also clash with server or workstation names, or switch to using local WINS servers. If you don't use the central WINS servers you only need to worry about keeping names in use within your unit unique, giving more freedom as to choice of name.
  • The names and IP addresses of the servers that will run the DNS service. Generally these will be your domain controllers; it's preferable to have at least two if you can. Similar rules for server NetBIOS names apply as for domain names.
  • This method uses a non-default DNS configuration on your Windows servers. The instructions detail the steps to configure this; to understand how and why it is non-default, refer to the Background Information section towards the end of this document.

2. Known Issues

In this scenario, the central DNS servers retain control of the top level records in the subdomain (i.e. at the oucs.ox.ac.uk or bnc.ox.ac.uk level). Refer to the Background Information section towards the end of this document for full details of how this works. This configuration allows the majority of Active Directory services to be registered dynamically in the DNS by the servers that run them. However a few records for the domain are held by the central DNS servers in the Computing Services, which do not allow dynamic updates. In particular each domain controller will try to register an A record for the name of the domain (e.g. oucs.ox.ac.uk) to resolve to its own IP address. Since this level of the DNS is managed by the central servers, these records are not registered automatically and so do not exist by default.

In many cases this does not cause any problems. However, we are now aware of several situations where this does appear to break certain functionality. These are as follows.
  • Systems that are not joined to the domain fail to locate domain DFS namespaces via DNS.
  • Attempting to create a DFS namespace on a 2008 server in the domain may fail with an RPC error.
  • Joining Mac OS X 10.5 clients to a domain fails for versions prior to 10.5.3. This was resolved as of 10.5.3.

If you are affected by either of the DFS issues, or if you think you may have discovered other functionality that is broken by these missing records, please mail msad@oucs.ox.ac.uk.

3. Installing and Configuring DNS on the First Domain Controller

These instructions include installing Active Directory. However they are written so that you can still use them if you have already installed Active Directory; simply skip any steps that you have already completed.

Check TCP/IP configuration
  • On the first domain controller, open the TCP/IP properties of the network connection and make sure that the DNS servers listed are the usual Computing Services DNS servers.
Install Active Directory
  • Use dcpromo to install Active Directory onto the first server in a domain. With Server 2008 you can also use the Server manager to add the Active Directory Domain Services role; make sure you select [Use advanced mode installation] when the Active Directory Domain Services Installation Wizard (dcpromo) starts up.
  • When prompted about DNS (2000, 2003) or on the Additional Domain Controller Options page (2008), make sure that DNS will not be installed (on 2000 and 2003, choose to install and configure it yourself). 2008 Server will probably tell you that it can't install it anyway as it isn't authoritative for the domain. On 2008 Server Core, use InstallDNS=No in an answer file, or /InstallDNS:No as a command-line switch to dcpromo.
Install the DNS Service
  • Use [Add/Remove Programs] (Windows Components/Networking Services) or the Configure your Server wizard to install the DNS service. For 2008 Server Core use start /w ocsetup DNS-Server-Core-Role. Again, 2008 may protest about the domain authority; ignore it.
Create the DNS zones for Active Directory
  • Once Active Directory and the DNS service are both installed, open the DNS management program ([Administrative Tools]). If you allowed DNS to be installed automatically, you may already have two zones created called unit.ox.ac.uk and _msdcs.unit.ox.ac.uk. You should delete the first of these, keep the second and create the missing zones described below.
  • Now create the following forward lookup zones as Active Directory-integrated allowing secure dynamic updates (right-click on [Forward Lookup Zones] and choose [New Zone...].) This process is explained in more detail in the Appendix: How to Create and Configure a Zone. For 2008 Server Core, use another machine to administer DNS, or use DNSCMD, which is beyond the scope of these instructions (see Dnscmd Syntax.)
    • _tcp.unitDNSname.ox.ac.uk
    • _udp.unitDNSname.ox.ac.uk
    • _sites.unitDNSname.ox.ac.uk
    • _msdcs.unitDNSname.ox.ac.uk
    • DomainDnsZones.unitDNSname.ox.ac.uk
    • ForestDnsZones.unitDNSname.ox.ac.uk
  • For each zone, configure an appropriate contact address (Responsible person) under the [Start of Authority (SOA) tab], substituting a . for the @ and adding a . to the end of the address.
  • For domain controllers running 2003 and above, for the forest root domain only, edit the properties of the _msdcs.unitDNSname.ox.ac.uk domain and on the [General] tab ensure that it is configured to replicate to All DNS servers in the Active Directory forest. This is particularly important in multi-domain forests. The other domains should be configured to replicate to DNS servers or domain controllers within the domain, rather than the forest.
Configure Forwarders
  • Configure your DNS servers to send all requests for information that they do not hold themselves to the DNS Caching Resolvers. This is recommended for security reasons and also speeds up queries for information in the ox.ac.uk domain. Configure this via the Forwarders tab in the [Properties] of the server object in the DNS management tool. Make sure there is an entry for All other DNS domains and add the addresses for each of the DNS Caching Resolvers to the forwarders list for this entry.
Configure delegations from the central DNS servers
  • Use the [Change Active Directory server definitions] on the Interface for Host Updates page, linked from the OUCS DNS page to register this server. You need to include the unitname part (e.g. oucsserver1.oucs, bncw2k1.bnc). Always register the canonical or standard name of the server; don't register an alias (it doesn't work correctly).
Update TCP/IP configuration
  • Open TCP/IP properties of the network connection and remove the Oxford DNS server address(es) and replace with the address of your new DNS server (i.e. its own address). You can use the 127.0.0.1 address (although some of the diagnostics tools may report an error if you use this address but won't if you use the real address of the server).
Register and check records
  • Reboot the server, or restart the NetLogon service, or wait a few hours to trigger the registration of records in the DNS.
  • Take a look in the file C:\Windows\System32\Config\netlogon.dns and compare the entries with the entries in the DNS management tool. You may need to refresh or even restart the latter before you can see them.
Run tests to check for errors
  • Check the event logs for errors. Expect to see 5774 where it complains that it can't register all of the records. The problem is the host (A) record for the domain itself. You can suppress this by adding a multistring value (REG_MULTI_SZ) value called DnsAvoidRegisterRecords under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry key, and entering the data value LdapIpAddress. See Restrict the DNS resource records that are updated by Netlogon. This may not be supported on Windows 2000, only 2003 upwards.
  • Run netdiag /v /test:dns and dcdiag /v /test:dns using the Support tools included on the Windows server CD (the latter won't work on 2000), and included as part of 2008, to check that everything looks healthy.
Configure Firewalls and Clients
  • Refer to the other sections in this document for details on configuring perimeter firewalls and clients as well as subsequent domain controllers.

4. Configuring the Second and Subsequent Domain Controllers

Carry out the following operations on the server you are adding to the domain, unless stated. Again, skip any steps you have already carried out.

Check TCP/IP configuration
  • On the second domain controller, open the TCP/IP properties of the network connection and delete any DNS server entries. Instead, enter the address of the existing Windows DNS server (usually your first domain controller).
Install Active Directory
  • Use dcpromo to install Active Directory adding the server as a new server in an existing domain.
  • This time, you shouldn't be prompted about DNS on 2000 or 2003. Again 2008 may refuse to install DNS; this is fine and should not prevent Active Directory Domain Services from being installed. Again, on 2008 Server Core, use InstallDNS=No in an answer file, or /InstallDNS:No as a command-line switch to dcpromo to stop DNS from being installed.)
Install the DNS Service
  • If necessary, use [Add/Remove Programs] (Windows Components/Networking Services) or the Configure your Server wizard to install the DNS service. For 2008 Server Core use start /w ocsetup DNS-Server-Core-Role
  • Since you have configured DNS to use Active Directory-integrated zones, you don't need to configure the zones again as they will be replicated automatically (although this can take a while).
Check that the Zones have replicated
  • Open the DNS management program and check that the zones shown below are visible. For 2008 Server Core, use DNSCMD or remote management. It may take a while for them to appear.
    • _tcp.unitDNSname.ox.ac.uk
    • _udp.unitDNSname.ox.ac.uk
    • _sites.unitDNSname.ox.ac.uk
    • _msdcs.unitDNSname.ox.ac.uk
    • DomainDnsZones.unitDNSname.ox.ac.uk
    • ForestDnsZones.unitDNSname.ox.ac.uk
Configure Forwarders
  • Configure your DNS servers to send all requests for information that they do not hold themselves to the DNS Caching Resolvers. This is recommended for security reasons and also speeds up queries for information in the ox.ac.uk domain. Configure this via the Forwarders tab in the [Properties] of the server object in the DNS management tool. Make sure there is an entry for All other DNS domains and add the addresses for each of the DNS Caching Resolvers to the forwarders list for this entry.
Configure delegations from the central DNS servers
  • You can register up to two servers centrally. If this is the second server in the domain, use the [change Active Directory server definitions] using the Interface for Host Updates page, linked from the OUCS DNS page to register this server. You need to include the unitname part (e.g. oucsserver1.oucs, bncw2k1.bnc).
Update TCP/IP configuration
  • Open the TCP/IP properties of the network connection and add this server's own IP address to the list of DNS servers. Ensure it is at the top of the list. You can use 127.0.0.1 as the address (although some of the diagnostics tools may report an error if you use this address but won't if you use the real address of the server).. Do not remove the addresses of any other Windows DNS server from the list, but it can be a good idea to remove any of the central Computing Services servers.
Register and check records
  • Take a look in the file C:\Windows\System32\Config\netlogon.dns and compare the entries with the entries in the DNS management tool.
Run tests to check for errors
  • Check the event logs for errors. Expect to see 5774 where it complains that it can't register all of the records. The problem is the host (A) record for the domain itself. You can suppress this by adding a multistring value (REG_MULTI_SZ) value called DnsAvoidRegisterRecords under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters registry key, and entering the data value LdapIpAddress. See Restrict the DNS resource records that are updated by Netlogon. This may not be supported on Windows 2000, only 2003 upwards.
  • Run netdiag /v /test:dns and dcdiag /v /test:dns using the Support tools included on the Windows server CD (the latter won't work on 2000). to check that everything looks good.
Update other domain controllers
  • On any other domain controllers, open the TCP/IP properties of the network connection and add the IP address of your new domain controller/DNS server to the list of servers. Always make sure that DNS servers have their own address first in the list, but then do include the addresses of the other Windows DNS servers in the list. If you don't, it can result in slow (5 or 10 minutes) boot times, for later versions of Windows server.
Configure Firewalls and Clients
  • Refer to the other sections in this document for details on updating the configuration of perimeter firewalls and clients.

5. Multi-domain Environments

If you have a forest with more than one domain, or you need to set up trusts between two domains in different forests, so long as both are set up using this configuration (i.e. using the existing DNS name for the Active Directory domain name) then everything should work with minimal additional configuration.

If you have problems, make sure that your firewall configuration is correct, as per the next section. Also make sure that the domain controllers, including the DNS servers, running in the different domains can communicate with each other through any firewalls that are between them.

For domain controllers running 2003 and above, for the forest root domain only, the _msdcs.unitDNSname.ox.ac.uk zone should be configured to replicate to All DNS servers in the Active Directory forest.

6. Configuring Firewalls

Many units run their own firewalls. If you do, you need to be careful about how you configure them regarding DNS traffic. While many things will work with an incorrect configuration, it may give rise to errors in the output from dcdiag and netdiag that can make it harder to identify real problems; also clients and servers can have problems locating services. Problems may be masked because systems fall back on NetBIOS name resolution, but will then become visible if this fails or is disabled.

It is recommended that you do not lock your firewall settings for DNS traffic to and from your DNS servers down more than detailed below. The first two rows are the ones that we most often see configured incorrectly (or not allowed at all).

Source AddressSource PortDest. AddressDest. Port
DNS Caching Resolvers Any Your internal DNS Servers TCP 53
DNS Caching Resolvers Any Your internal DNS Servers UDP 53
Your internal DNS Servers Any Any TCP 53
Your internal DNS Servers Any Any UDP 53

7. Configuring Clients

In this configuration you can configure clients that are members of the domain either to use the central DNS servers, or to use your Active Directory DNS servers. Additional tools that OUCS use for diagnosing security and configuration issues will only apply for clients using the central servers.

If using the central servers, make sure that firewalls are configured correctly as per the previous section or lookups routed through the central resolvers may fail.

In this configuration of DNS you cannot configure your clients to register their names and IP addresses automatically in DNS. Depending on the way in which applications resolve names, occasionally this can cause problems if the name of the system (as configured in the [System] control panel) and shown in Active Directory does not match the first part of the client's registered DNS name.

This is most likely to be a problem for software that expects to locate workstations by appending the DNS suffix to the name registered in Active Directory. Checking the operation with a machine where the name configured matches the name registered in DNS should reveal whether this is the problem.

The simplest solution to this issue is to make sure that the names match; if this is impossible other workarounds normally exist.

8. Additional Points to Note

If the network connection between your unit and OUCS is unavailable then you may find that logging in becomes very slow, or experience other name resolution issues. This happens because although most Active Directory records are registered on your local DNS servers, which continue to be accessible, the host records that translate between names of servers and IP addresses are held on the OUCS DNS servers.

If this is a problem for your unit, you may be able to provide resilience by running a secondary name server for the ox.ac.uk zone and asking OUCS to arrange for zone transfers to be allowed to a designated server. You then need to make sure that your domain controllers are configured to look up requests for ox.ac.uk via this name server. You can do this by configuring your DNS servers to forward requests for information about ox.ac.uk to this secondary server (add an entry for ox.ac.uk in the Forwarders tab in the [Properties] of the server object in the DNS management tool, or on Windows 2008, by an entry in the Conditional Forwarders folder).

You may be able to configure one of your existing Windows DNS servers to act as this secondary server. To enquire about this service, email OUCS in the usual way. If you decide to use one of your Windows DNS servers to manage the secondary zone, use the DNS Manager to create a new zone of type [Secondary] and configure zone transfers as directed by OUCS.

9. Background Information

With this option, the central DNS servers continue to manage most of the DNS registrations for clients in your domain, including the host (A) records for your domain controllers. You should continue to register the names and IP addresses for your domain controllers, servers and clients in the usual way using the Interface for Host Updates page, linked from the OUCS DNS page.

However the main records used to locate Active Directory services are stored in Active Directory-specific subdomains which are managed by DNS running on your Windows servers (normally on the domain controllers). These subdomains are
  • _tcp.unitDNSname.ox.ac.uk
  • _udp.unitDNSname.ox.ac.uk
  • _sites.unitDNSname.ox.ac.uk
  • _msdcs.unitDNSname.ox.ac.uk
  • DomainDnsZones.unitDNSname.ox.ac.uk
  • ForestDnsZones.unitDNSname.ox.ac.uk

The last two on the list are not used by Windows 2000-only domains.

The zones in the list above should be configured as Active Directory-integrated and to allow secure dynamic updates. The central DNS servers do not allow dynamic updates, so this method gives a good balance between convenience and security.

One set of records cannot be registered using this method and these are the host records for the domain itself. Each domain controller will normally register this record to resolve to itself. Generally the lack of this record does not cause problems; however there are a couple of scenarios where it may. Refer to the Known Issues section for further details.

9.1. Further Information

In Active Directory, domain controllers needs to register various services in the DNS in order that other domain controllers, servers and clients can locate them and the services they offer. The main records that are needed for an Active Directory domain called unitDNSname.ox.ac.uk are Service (SRV) Resource Records that are registered in the various subdomains listed above.

There are normally at least 20 or so of these records per domain controller, and some of them are very long and involve GUIDs. The records registered will change with certain operations such as changing global catalog servers and adding domain controllers. Windows servers can register these records dynamically, and because of the number of records and the potential for changes, there is less room for error if domain controllers at least are allowed update the records themselves.

For security reasons the main Oxford DNS servers will not allow the dynamic updating of records, so early discussions of interested parties within the University decided that for any unit installing Active Directory, the main DNS servers would delegate responsibility for the subdomains shown above (i.e. _tcp, _udp, _sites etc.) to one or two DNS servers installed in that unit. The unit should then configure domain controllers for their Active Directory domain to use the locally installed DNS servers, which will enable them to update their DNS entries dynamically.

The following diagram shows the various subdomains for unit.ox.ac.uk and the DNS servers that will be responsible for each.

DNS server and domain arrangement

Note that while the local DNS server can be installed on a member server, installing onto a domain controller allows the DNS lookup zones to be Active Directory-integrated, which has two main advantages. Firstly, enhanced security features can be used; for example dynamic updates can be restricted to computers that are members of the domain. Secondly, if you add a second DNS server on another domain controller for fault tolerance, you only need to configure the zones on the first server, not the second, as the zones and records are replicated automatically between domain controllers.

10. Appendix: How to Create and Configure a Zone

Start the DNS management console ([Start/Programs/Administrative Tools/DNS]). Open up your server (OUCS-PHANTOM in the example below) in the left hand window and you should see two folders — Forward Lookup Zones and Reverse Lookup Zones . There should be nothing in either of them.

If there is an entry under Forward Lookup Zones; (there may be one called unitname.ox.ac.uk) then delete it.

Now right-click on the Forward Lookup Zone folder and select [New Zone]. Click on Next and then choose [Primary] as the zone type and make sure the option to Store the zone in Active Directory is checked.

Click on Next and type in the name of the zone you want to create. The zones are as follows (replace unitDNSname with the appropriate name for your unit).
  • _tcp.unitDNSname.ox.ac.uk
  • _udp.unitDNSname.ox.ac.uk
  • _sites.unitDNSname.ox.ac.uk
  • _msdcs.unitDNSname.ox.ac.uk
  • DomainDnsZones.unitDNSname.ox.ac.uk
  • ForestDnsZones.unitDNSname.ox.ac.uk

Click on Next, check that the details are correct and click on Finish. You now should have an entry for the zone visible within the Forward Lookup Zones folder.

DNS Management Console showing _msdcs.oucs.ox.ac.uk forward lookup
							zone.

Right-click on this entry and select [Properties]. First check on the [General] tab that [Only secure updates] is the setting for [Allow dynamic updates? ]

Next click on the [Start of Authority (SOA)] tab and change the [Responsible person] entry. This box should contain a valid e-mail address which will be directed to the person responsible for the server. By convention you should substitute a. for the @ in the e-mail address. You should also include a . at the end of the address.

_msdcs.oucs.ox.ac.uk DNS Zone Properties — SOA
						Page

Consider changing the various time intervals. The main Oxford DNS servers use the following intervals, which are considerably longer than the Microsoft defaults.

Refresh interval 8 hours
Retry interval 2 hours
Expires after 1 week
Minimum TTL 1 day

There may be advantages in leaving the defaults until you have set up your server completely. However, once set up, it is unlikely that you will be making too many changes that affect the DNS, and the above settings may be more appropriate.