Contents
If you are setting up a new domain, you need to decide on the following information before you start.
In this scenario, the central DNS servers retain control of the top level records in the subdomain (i.e. at the oucs.ox.ac.uk or bnc.ox.ac.uk level). Refer to the Background Information section towards the end of this document for full details of how this works. This configuration allows the majority of Active Directory services to be registered dynamically in the DNS by the servers that run them. However a few records for the domain are held by the central DNS servers in the Computing Services, which do not allow dynamic updates. In particular each domain controller will try to register an A record for the name of the domain (e.g. oucs.ox.ac.uk) to resolve to its own IP address. Since this level of the DNS is managed by the central servers, these records are not registered automatically and so do not exist by default.
If you are affected by either of the DFS issues, or if you think you may have discovered other functionality that is broken by these missing records, please mail msad@oucs.ox.ac.uk.
3. Installing and Configuring DNS on the First Domain Controller
These instructions include installing Active Directory. However they are written so that you can still use them if you have already installed Active Directory; simply skip any steps that you have already completed.
dcpromo to install Active Directory onto
the first server in a domain. With Server 2008 you can also use the
Server manager to add the Active Directory Domain Services role;
make sure you select [Use advanced mode installation]
when the Active Directory Domain Services Installation Wizard
(dcpromo) starts up.Additional
Domain Controller Options page (2008), make sure that
DNS will not be installed (on 2000 and 2003, choose to
install and configure it yourself). 2008 Server will probably tell
you that it can't install it anyway as it isn't authoritative for
the domain. On 2008 Server Core, use
InstallDNS=No in an answer file, or
/InstallDNS:No as a command-line switch to
dcpromo.[Administrative Tools]). If
you allowed DNS to be installed automatically, you may already have
two zones created called unit.ox.ac.uk and
_msdcs.unit.ox.ac.uk. You should delete the first
of these, keep the second and create the missing zones described
below.[Forward Lookup Zones] and choose [New
Zone...].) This process is explained in more detail in the
Appendix: How to Create and Configure a
Zone. For 2008 Server Core, use another machine to
administer DNS, or use DNSCMD, which is beyond the scope of these
instructions (see Dnscmd Syntax.) Responsible person) under the [Start of
Authority (SOA) tab], substituting a . for the
@ and adding a . to the end of the address.[General] tab ensure that it is configured to
replicate to All DNS servers in the Active Directory
forest. This is particularly important in multi-domain forests.
The other domains should be configured to replicate to DNS servers
or domain controllers within the domain, rather than the
forest.Forwarders tab in
the [Properties] of the server object in the DNS
management tool. Make sure there is an entry for All other
DNS domains and add the addresses for each of the
DNS Caching Resolvers to the forwarders list for this
entry.[Change Active Directory server definitions] on
the Interface for Host Updates page, linked from the OUCS DNS page
to register this server. You need to include the
unitname part (e.g. oucsserver1.oucs, bncw2k1.bnc).
Always register the canonical or standard name of the server; don't
register an alias (it doesn't work correctly).C:\Windows\System32\Config\netlogon.dns and
compare the entries with the entries in the DNS management tool. You
may need to refresh or even restart the latter before you can see
them.DnsAvoidRegisterRecords under the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
registry key, and entering the data value
LdapIpAddress. See Restrict the DNS resource records that are updated by
Netlogon. This may not be supported on Windows 2000, only
2003 upwards.netdiag /v /test:dns and dcdiag /v
/test:dns using the Support tools included on the
Windows server CD (the latter won't work on 2000), and included as
part of 2008, to check that everything looks healthy.4. Configuring the Second and Subsequent Domain Controllers
Carry out the following operations on the server you are adding to the domain, unless stated. Again, skip any steps you have already carried out.
dcpromo to install Active Directory adding
the server as a new server in an existing domain.InstallDNS=No in
an answer file, or /InstallDNS:No as a
command-line switch to dcpromo to stop DNS from
being installed.)[Add/Remove Programs] (Windows
Components/Networking Services) or the Configure your
Server wizard to install the DNS service. For 2008 Server
Core use start /w ocsetup DNS-Server-Core-RoleForwarders tab in
the [Properties] of the server object in the DNS
management tool. Make sure there is an entry for All other
DNS domains and add the addresses for each of the
DNS Caching Resolvers to the forwarders list for this
entry.[change Active Directory
server definitions] using the Interface for Host
Updates page, linked from the OUCS DNS page
to register this server. You need to include the
unitname part (e.g. oucsserver1.oucs, bncw2k1.bnc).
DnsAvoidRegisterRecords under the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
registry key, and entering the data value
LdapIpAddress. See Restrict the DNS resource records that are updated by
Netlogon. This may not be supported on Windows 2000, only
2003 upwards.netdiag /v /test:dns and dcdiag /v
/test:dns using the Support tools included on the
Windows server CD (the latter won't work on 2000). to check that
everything looks good.If you have a forest with more than one domain, or you need to set up trusts between two domains in different forests, so long as both are set up using this configuration (i.e. using the existing DNS name for the Active Directory domain name) then everything should work with minimal additional configuration.
If you have problems, make sure that your firewall configuration is correct, as per the next section. Also make sure that the domain controllers, including the DNS servers, running in the different domains can communicate with each other through any firewalls that are between them.
For domain controllers running 2003 and above, for the forest root domain only, the _msdcs.unitDNSname.ox.ac.uk zone should be configured to replicate to All DNS servers in the Active Directory forest.
Many units run their own firewalls. If you do, you need to be careful about how you configure them regarding DNS traffic. While many things will work with an incorrect configuration, it may give rise to errors in the output from dcdiag and netdiag that can make it harder to identify real problems; also clients and servers can have problems locating services. Problems may be masked because systems fall back on NetBIOS name resolution, but will then become visible if this fails or is disabled.
It is recommended that you do not lock your firewall settings for DNS traffic to and from your DNS servers down more than detailed below. The first two rows are the ones that we most often see configured incorrectly (or not allowed at all).
| Source Address | Source Port | Dest. Address | Dest. Port |
| DNS Caching Resolvers | Any | Your internal DNS Servers | TCP 53 |
| DNS Caching Resolvers | Any | Your internal DNS Servers | UDP 53 |
| Your internal DNS Servers | Any | Any | TCP 53 |
| Your internal DNS Servers | Any | Any | UDP 53 |
In this configuration you can configure clients that are members of the domain either to use the central DNS servers, or to use your Active Directory DNS servers. Additional tools that OUCS use for diagnosing security and configuration issues will only apply for clients using the central servers.
If using the central servers, make sure that firewalls are configured correctly as per the previous section or lookups routed through the central resolvers may fail.
In this configuration of DNS you cannot configure your clients to register their
names and IP addresses automatically in DNS. Depending on the way in which
applications resolve names, occasionally this can cause problems if the name of
the system (as configured in the [System] control panel) and shown in
Active Directory does not match the first part of the client's registered DNS
name.
This is most likely to be a problem for software that expects to locate workstations by appending the DNS suffix to the name registered in Active Directory. Checking the operation with a machine where the name configured matches the name registered in DNS should reveal whether this is the problem.
The simplest solution to this issue is to make sure that the names match; if this is impossible other workarounds normally exist.
If the network connection between your unit and OUCS is unavailable then you may find that logging in becomes very slow, or experience other name resolution issues. This happens because although most Active Directory records are registered on your local DNS servers, which continue to be accessible, the host records that translate between names of servers and IP addresses are held on the OUCS DNS servers.
If this is a problem for your unit, you may be able to provide resilience by
running a secondary name server for the ox.ac.uk zone and asking OUCS to arrange
for zone transfers to be allowed to a designated server. You then need to make
sure that your domain controllers are configured to look up requests for
ox.ac.uk via this name server. You can do this by configuring your DNS servers
to forward requests for information about ox.ac.uk to this secondary server (add
an entry for ox.ac.uk in the Forwarders tab in the
[Properties] of the server object in the DNS management tool, or
on Windows 2008, by an entry in the Conditional Forwarders
folder).
You may be able to configure one of your existing Windows DNS servers to act as
this secondary server. To enquire about this service, email OUCS in the usual
way. If you decide to use one of your Windows DNS servers to manage the
secondary zone, use the DNS Manager to create a new zone of
type [Secondary] and configure zone transfers as directed by OUCS.
With this option, the central DNS servers continue to manage most of the DNS registrations for clients in your domain, including the host (A) records for your domain controllers. You should continue to register the names and IP addresses for your domain controllers, servers and clients in the usual way using the Interface for Host Updates page, linked from the OUCS DNS page.
The last two on the list are not used by Windows 2000-only domains.
The zones in the list above should be configured as Active Directory-integrated and to allow secure dynamic updates. The central DNS servers do not allow dynamic updates, so this method gives a good balance between convenience and security.
One set of records cannot be registered using this method and these are the host records for the domain itself. Each domain controller will normally register this record to resolve to itself. Generally the lack of this record does not cause problems; however there are a couple of scenarios where it may. Refer to the Known Issues section for further details.
In Active Directory, domain controllers needs to register various services in the DNS in order that other domain controllers, servers and clients can locate them and the services they offer. The main records that are needed for an Active Directory domain called unitDNSname.ox.ac.uk are Service (SRV) Resource Records that are registered in the various subdomains listed above.
There are normally at least 20 or so of these records per domain controller, and some of them are very long and involve GUIDs. The records registered will change with certain operations such as changing global catalog servers and adding domain controllers. Windows servers can register these records dynamically, and because of the number of records and the potential for changes, there is less room for error if domain controllers at least are allowed update the records themselves.
For security reasons the main Oxford DNS servers will not allow the dynamic updating of records, so early discussions of interested parties within the University decided that for any unit installing Active Directory, the main DNS servers would delegate responsibility for the subdomains shown above (i.e. _tcp, _udp, _sites etc.) to one or two DNS servers installed in that unit. The unit should then configure domain controllers for their Active Directory domain to use the locally installed DNS servers, which will enable them to update their DNS entries dynamically.
The following diagram shows the various subdomains for unit.ox.ac.uk and the DNS servers that will be responsible for each.
Note that while the local DNS server can be installed on a member server, installing onto a domain controller allows the DNS lookup zones to be Active Directory-integrated, which has two main advantages. Firstly, enhanced security features can be used; for example dynamic updates can be restricted to computers that are members of the domain. Secondly, if you add a second DNS server on another domain controller for fault tolerance, you only need to configure the zones on the first server, not the second, as the zones and records are replicated automatically between domain controllers.
10. Appendix: How to Create and Configure a Zone
Start the DNS management console
([Start/Programs/Administrative Tools/DNS]). Open up your server
(OUCS-PHANTOM in the example below) in the left hand window and you should see
two folders — Forward Lookup Zones and
Reverse Lookup Zones . There should be nothing in
either of them.
If there is an entry under Forward Lookup Zones; (there may
be one called unitname.ox.ac.uk) then delete it.
Now right-click on the Forward Lookup Zone folder and select [New
Zone]. Click on Next and then choose [Primary]
as the zone type and make sure the option to Store the zone in Active
Directory is checked.
Next and type in the name of the zone you want to
create. The zones are as follows (replace unitDNSname with the
appropriate name for your unit). Click on Next, check that the details are correct and click on
Finish. You now should have an entry for the zone visible
within the Forward Lookup Zones folder.
Right-click on this entry and select [Properties]. First check on the
[General] tab that [Only secure updates] is the
setting for [Allow dynamic updates? ]
Next click on the [Start of Authority (SOA)] tab and change the
[Responsible person] entry. This box should contain a valid
e-mail address which will be directed to the person responsible for the server.
By convention you should substitute a. for the @ in the e-mail
address. You should also include a . at the end of the address.
Consider changing the various time intervals. The main Oxford DNS servers use the following intervals, which are considerably longer than the Microsoft defaults.
There may be advantages in leaving the defaults until you have set up your server completely. However, once set up, it is unlikely that you will be making too many changes that affect the DNS, and the above settings may be more appropriate.