If you run Active Directory it is vital that the DNS configuration is correct as issues with DNS can lead to problems with replication between domain controllers or to workstations that have problems finding servers or services. As it is so important, we provide detailed information on how to configure DNS to support Active Directory in these pages.
If you're running Active Directory it's helpful to understand of the basics of how DNS works. If you need a starting point try the Wikipedia entry on Domain name system, particularly the section on How DNS works in theory.
NB these pages were revised in 2008. If you need the DNS configuration pages that existed before then, you need the recommended solution (Option 1) above.
If you want to know more about the differences between the two options, read on.
2. Active Directory Domain Naming
Previously these pages described one option for naming your Active Directory domain (Option 1 below) and this remains the recommended option. However it is occasionally necessary to use a different name, or you may have taken over the management of a domain with a different name. This is described in Option 2.
The majority of installations will be using Option 1. If you are considering Option 2, a good understanding of DNS is helpful, and we'd suggest researching the possible implications for Active Directory (some links to Microsoft documentation are given below). Mixing the two options within the same forest is likely to be possible, but is beyond the scope of this documentation.
The next section explores the options in more detail, and Microsoft provide a wealth of further information such as Creating Internal and External Domains and Using an Internal Subdomain as well as Disjoint Namespace.
2.2. In Detail
Microsoft Active Directory is designed to use the DNS to enable servers and workstations to locate services (such as domain controllers) running within the Active Directory namespace.
To support an Active Directory domain called example.org, DNS servers that manage the example.org subdomain must be available to your domain controllers and workstations.
The following diagrams show the Active Directory and part of the DNS namespace that would correspond to example.org.
Figure ad-example.gif [Active Directory for example.org]
Figure dns-example.gif [Part of DNS namespace showing example.org]
Microsoft Active Directory currently supports several possible DNS namespace configurations as follows.
See Namespace planning for DNS for more information.
Within the University the third option is likely to be very rare, as workstations using this option would not be able to access the internet (or indeed access systems outside the unit). So we'll concentrate on the other two.
Option 1: Use the existing DNS name of your unit for your Active Directory domain name (Recommended)
Using the same namespace for both external and internal purposes (option 1) has been the recommended solution within the University environment since Active Directory was released. It is probably the easier to understand and you are less likely to run into name resolution issues. Many University installations of Active Directory are use this method successfully. In this scenario, a unit uses its existing DNS name (e.g. chem.ox.ac.uk, oucs.ox.ac.uk) as its Active Directory domain name. It continues to be the reommended solution.
There is one known limitation in that, as most units only have a single DNS name available, they are restricted to one Active Directory domain. As it is generally recommended to stick to a single domain if at all possible, for most locations this is not a problem. Occasionally a second domain is essential, in which case option 2 may be a way forward. There are different options on the choice of the internal name, which will be covered in subsequent sections.
In addition, because of the way in which DNS registrations are handled, occasional problems can result because the A records for the domain are not registered. Each domain controller will attempt to register an A record for the name of the domain (i.e. unit.ox.ac.uk) to resolve to its own IP address. However this issue can be normally be addressed where necessary. Refer to the configuring DNS to Support Active Directory using an Existing DNS Name (Option 1) pages for full details.
Option 2: Use a different name from the existing DNS name of your unit for your Active Directory domain name
For both options 1 and 2, within the context of Oxford University, the external namespace for a unit will be the existing subdomain already provided by the Domain Name System service run by the Computing Services (such as oucs.ox.ac.uk, chem.ox.ac.uk etc.). For option 1 your Active Directory domain is given the same name as your allocated DNS subdomain. However for option 2, while workstations and servers retain their existing public DNS identities, your Active Directory domain is configured to use a different internal name. Servers and workstations will have with dual identities, one in the usual external namespace, and the other in the internal private namespace.
Using this option, unlike option 1, the A records for the domain name are registered, and units can have multiple Active Directory domains. For machines that are part of the domain, everything should work as expected. On the other hand, people who are accessing domain resources from machines that are not part of the domain will need to use the external name of the resource, rather than the domain name, and if there is no equivalent (e.g. the domain name itself), this could lead to problems. We would recommend further reading via the links below before deciding to use this option. It is likely to work best in environments where little or no access is required from systems outside your unit and domain.
For more information see Microsoft's pages on Creating Internal and External Domains and Using an Internal Subdomain as well as Disjoint Namespace.
If you are still unsure about which option is best for you or have further questions, please email OUCS via firstname.lastname@example.org, including Active Directory DNS on the subject line to discuss the options.