dns 2008 operations

8/6/2019 DNS 2008 Operations

1/5

DNS Server Role

Updated: January 21, 2008

Domain Name System (DNS) is a system for naming computers and network services that is organized into ahierarchy of domains. TCP/IP networks, such as the Internet, use DNS to locate computers and services throughuser-friendly names.

To make using network resources easier, name systems such as DNS provide a way to map the user-friendly namefor a computer or service to other information that is associated with that name, such as an IP address. A user-friendly name is easier to learn and remember than the numeric addresses that computers use to communicateover a network. Most people prefer to use a user-friendly namefor example, sales.fabrikam.comto locate an e-mail server or Web server on a network rather than an IP address, such as 157.60.0.1. When a user enters a user-friendly DNS name in an application, DNS services resolve the name to its numeric address.

What does a DNS server do?

2010 Microsoft Corporation. All rights reserved.

A DNS server provides name resolution for TCP/IP-based networks. That is, it makes it possible for users of clientcomputers to use names rather than numeric IP addresses to identify remote hosts. A client computer sends thename of a remote host to a DNS server, which responds with the corresponding IP address. The client computercan then send messages directly to the remote host's IP address. If the DNS server does not have an entry in itsdatabase for the remote host, it can respond to the client with the address of a DNS server that is more likely tohave information about that remote host, or it can query the other DNS server itself. This process can take placerecursively until either the client computer receives the IP address or it is established that the queried name doesnot belong to a host within the specific DNS namespace.

The DNS server in the Windows Server2008 operating system complies with the set of Requests for Comments(RFCs) that define and standardize the DNS protocol. Because the DNS Server service is RFC-compliant and it canuse standard DNS data file and resource record formats, it can work successfully with most other DNS serverimplementations, such as DNS implementations that use the Berkeley Internet Name Domain (BIND) software.

In addition, the DNS server in Windows Server 2008 provides the following special benefits in a Windows-basednetwork:

Support for Active Directory Domain Services (AD DS)

DNS is required for support of AD DS. If you install the Active Directory Domain Services role on a server, you

can automatically install and configure a DNS server if a DNS server that meets AD DS requirements cannot

be located.

DNS zones can be stored in the domain or application directory partitions of AD DS. A partition is a data

container in AD DS that distinguishes data for different replication purposes. You can specify in which

Active Directory partition to store the zone and, consequently, the set of domain controllers among which that

zone's data will be replicated.

In general, use of the Windows Server 2008 DNS Server service is strongly recommended for the best

possible integration and support of AD DS and enhanced DNS server features. You can, however, use another

type of DNS server to support AD DS deployment.

Stub zones

DNS running on Windows Server 2008 supports a zone type called a stub zone. A stub zone is a copy of azone that contains only the resource records that are necessary to identify the authoritative DNS servers for

that zone. A stub zone keeps a DNS server hosting a parent zone aware of the authoritative DNS servers for

its child zone. This helps maintain DNS name-resolution efficiency.

Integration with other Microsoft networking services

The DNS Server service provides integration with other services, and it contains features that go beyond the

features that are specified in the DNS RFCs. These features include integration with other services, such as

AD DS, Windows Internet Name Service (WINS), and Dynamic Host Configuration Protocol (DHCP).

Improved ease of administration

The DNS snap-in in Microsoft Management Console (MMC) offers a graphical user interface (GUI) for

managing the DNS Server service. Also, there are several configuration wizards for performing common

Page 1 of 5DNS Server Role

12/30/2010http://technet.microsoft.com/en-us/library/cc753635(WS.10,printer).aspx


2/5

Who will be interested in this server role?

Are there any special considerations?

What new functionality does this server role provide?

server administration tasks. In addition to the DNS console, other tools are provided to help you better

manage and support DNS servers and clients on your network.

RFC-compliant dynamic update protocol support

Clients can use the DNS Server service to dynamically update resource records, based on the dynamic update

protocol (RFC 2136). This improves DNS administration by reducing the time needed to manage these records

manually. Computers running the DNS Client service can register their DNS names and IP addresses

dynamically. In addition, the DNS Server service and DNS clients can be configured to perform secure

dynamic updates, a capability that enables only authenticated users with appropriate rights to update

resource records on the server. Secure dynamic updates are available only for zones that are integrated withAD DS.

Support for incremental zone transfer between servers

Zone transfers replicate information about a portion of the DNS namespace among DNS servers. Incremental

zone transfers replicate only the changed portions of a zone, which conserves network bandwidth.

Conditional forwarders

The DNS Server service extends a standard forwarder configuration with conditional forwarders. A conditional

forwarder is a DNS server on a network that forwards DNS queries according to the DNS domain name in the

query. For example, a DNS server can be configured to forward all the queries that it receives for names

ending with sales.fabrikam.com to the IP address of a specific DNS server or to the IP addresses of multiple

DNS servers.

All but the simplest TCP/IP networks require access to one or more DNS servers to function properly. Withoutname resolution and the other services that are provided by DNS servers, client access to remote host computerswould be prohibitively difficult. For example, without access to a DNS server, browsing the World Wide Web wouldbe virtually impossible: the vast majority of hypertext links that are published on the Web use the DNS name ofWeb hosts rather than their IP addresses. The same principle applies to intranets because computer users rarelyknow the IP addresses of computers on their local area network (LAN).

Consider deploying the DNS Server service in Windows Server 2008 if your network contains any of the following:

Domain-joined computers

Windows-based, DHCP-client computers

Computers that are connected to the Internet

Branch offices or domains that are located on a wide area network (WAN)

If you want to integrate the DNS Server service with AD DS, you can install DNS at the same time that you installAD DS, or you can install DNS after you install AD DS and then integrate DNS as a separate step. You can installfile-backed DNS servers (that is, DNS servers that are not integrated with AD DS) on any computers in thenetwork. Of course, you must take into consideration your network topology and traffic distribution when youdecide where to deploy your DNS servers.

The DNS Server service in Windows Server 2008 includes a number of new and enhanced features compared to theDNS Server service that was available in the Microsoft Windows NT Server, Windows 2000 Server, andWindows Server2003 operating systems. The following sections describe these features.

Background zone loading

Very large organizations with extremely large zones that store their DNS data in AD DS sometimes discover thatrestarting a DNS server can take an hour or more while the DNS data is retrieved from the directory service. Theresult is that the DNS server is effectively unavailable to service client requests for the entire time that it takes toload AD DS-based zones.

A DNS server running Windows Server 2008 now loads zone data from AD DS in the background while it restarts sothat it can respond to requests for data from other zones. When the DNS server starts, it:




3/5

Enumerates all zones to be loaded.

Loads root hints from files or AD DS storage.

Loads all file-backed zones, that is, zones that are stored in files rather than in AD DS.

Begins responding to queries and remote procedure calls (RPCs).

Spawns one or more threads to load the zones that are stored in AD DS.

Because the task of loading zones is performed by separate threads, the DNS server is able to respond to querieswhile zone loading is in progress. If a DNS client requests data for a host in a zone that has already been loaded,the DNS server responds with the data (or, if appropriate, a negative response) as expected. If the request is for anode that has not yet been loaded into memory, the DNS server reads the node's data from AD DS and updatesthe node's record list accordingly.

Why is this functionality important?

The DNS server can use background zone loading to begin responding to queries almost immediately when itrestarts, instead of waiting until its zones are fully loaded. The DNS server can respond to queries for the nodesthat it has loaded or that can be retrieved from AD DS. This functionality also provides another advantage whenzone data is stored in AD DS rather than in a file: AD DS can be accessed asynchronously and immediately when aquery is received, while file-based zone data can be accessed only through a sequential read of the file.

Support for IPv6 addresses

IP version 6 (IPv6) specifies addresses that are 128 bits long, compared to IPv4 addresses, which are 32 bits long.This greater address length allows for a much larger number of globally unique addresses to accommodate the

explosive growth of the Internet around the world.

DNS servers running Windows Server 2008 now support IPv6 addresses as fully as they support IPv4 addresses.For example, in the DNS snap-in, wherever an IP address is typed or displayed, the address can take the form ofan IPv4 address or an IPv6 address. The dnscmd command-line tool also accepts addresses in either format. Inaddition, DNS servers can now send recursive queries to IPv6-only servers, and the server forwarder list cancontain both IPv4 and IPv6 addresses. DHCP clients can also register IPv6 addresses in addition to (or instead of)IPv4 addresses. Finally, DNS servers now support the ip6.arpa domain namespace for reverse mapping.


The IPv6 addressing protocol is emerging as an important factor in the growth of the Internet. Support for IPv6addressing in Windows Server 2008 ensures that DNS servers will be able to support present and future DNSclients that are designed to take advantage of the benefits of IPv6 addresses.

How should I prepare for this change?

Because DNS servers can now return both IPv4 host (A) resource records and IPv6 host (AAAA) resource records inresponse to queries, make sure that DNS client software on your network can handle such responses appropriately.It might be necessary to upgrade or replace older DNS client software to ensure compatibility with this change.

Read-only domain controller support

Windows Server 2008 introduces a new type of domain controller, the read-only domain controller (RODC). AnRODC provides, in effect, a shadow copy of a domain controller that cannot be directly configured, which makes itless vulnerable to attack. You can install an RODC in locations where physical security for the domain controllercannot be guaranteed.

To support RODCs, a DNS server running Windows Server 2008 supports a new type of zone, the primary read-only zone (also sometimes referred to as a branch office zone). When a computer becomes an RODC, it replicates afull read-only copy of all of the application directory partitions that DNS uses, including the domain partition,

ForestDNSZones and DomainDNSZones. This ensures that the DNS server running on the RODC has a full read-only copy of any DNS zones stored on a centrally located domain controller in those directory partitions. Theadministrator of an RODC can view the contents of a primary read-only zone; however, the administrator canchange the contents only by changing the zone on the centrally located domain controller.


AD DS relies on DNS to provide name-resolution services to network clients. The changes to the DNS Serverservice are required to support AD DS on an RODC.

GlobalNames zone

Today, many Microsoft customers deploy WINS in their networks. As a name-resolution protocol, WINS is often




4/5

used as a secondary name-resolution protocol alongside DNS. WINS is an older protocol, and it uses NetBIOS overTCP/IP (NetBT). Therefore, it is approaching obsolescence. However, organizations continue to use WINS becausethey appreciate having the static, global records with single-label names that WINS provides.

So that organizations can move to an all-DNS environment (or to provide the benefits of global, single-label namesto all-DNS networks), the DNS Server service in Windows Server 2008 now supports a zone called GlobalNames tohold single-label names. In typical cases, the replication scope of this zone is the entire forest, which ensures thatthe zone has the desired effect of providing unique, single-label names across the entire forest. In addition, theGlobalNames zone can support single-label name resolution throughout an organization that contains multipleforests when you use Service Location (SRV) resource records to publish the location of the GlobalNames zone.

Unlike WINS, the GlobalNames zone is intended to provide single-label name resolution for a limited set of hostnames, typically corporate servers and Web sites that are centrally (IT) managed. The GlobalNames zone is notintended to be used for peer-to-peer name resolution, such as name resolution for workstations, and dynamicupdates in the GlobalNames zone are not supported. Instead, the GlobalNames zone is most commonly used tohold CNAME resource records to map a single-label name to a fully qualified domain name (FQDN). In networksthat are currently using WINS, the GlobalNames zone usually contains resource records for IT-managed namesthat are already statically configured in WINS.

When the GlobalNames zone is deployed, single-label name resolution by clients works as follows:

1. The client's primary DNS suffix is appended to the single-label name, and the query is submitted to the DNSserver.

2. If that FQDN does not resolve, the client requests resolution using its DNS suffix search lists (such as thosespecified by Group Policy), if any.

3. If none of those names resolve, the client requests resolution using the single-label name.4. If the single-label name appears in the GlobalNames zone, the DNS server hosting the zone resolves the

name. Otherwise, the query fails over to WINS.

No changes to client software are required to enable single-label name with this feature.

The GlobalNames zone provides single-label name resolution only when all authoritative DNS servers are runningWindows Server 2008. However, other DNS servers (that is, servers that are not authoritative for any zone) can berunning other operating systems. Of course, the GlobalNames zone must be the only zone with that name in theforest.

To provide maximum performance and scalability, it is recommended that the GlobalNames zone be integratedwith AD DS and that each authoritative DNS server be configured with a local copy of the GlobalNames zone.AD DS integration of the GlobalNames zone is required to support deployment of the GlobalNames zone acrossmultiple forests.

Global Query block list

Most TCP/IP networks support the dynamic update feature of DNS because dynamic update is convenient fornetwork administrators and users alike. Dynamic update makes it possible for DNS client computers to register anddynamically update their resource records with a DNS server whenever a client changes its network address orhost name. This reduces the need for manual administration of zone records, especially for clients that frequentlymove or change locations and use DHCP to obtain an IP address. This convenience comes at a cost, however,because an authorized client can register any unused host name, even a host name that might have specialsignificance for certain applications. This can allow a malicious user to "hijack" a special name and divert certaintypes of network traffic to that user's computer.

Two commonly deployed protocols are particularly vulnerable to hijacking in this fashion: the Web Proxy Auto-Discovery Protocol (WPAD) and the Intra-site Automatic Tunnel Addressing Protocol (ISATAP). Even if a networkdoes not deploy these protocols, clients that are configured to use them are vulnerable to the hijacking that DNSdynamic update enables. To prevent such hijacking, the DNS server role in Windows Server 2008 includes a global

query block list that can help prevent a malicious user from hijacking DNS names that have special significance.

In its default configuration, the DNS Server service in Windows Server 2008 maintains a list of names that, ineffect, it ignores when it receives a query to resolve the name in any zone for which the server is authoritative. Toaccomplish this, the DNS Server service first checks queries against the list. Then, if the leftmost portion of thename matches an entry in the list, the DNS Server service replies to the query as though no resource recordexisted, even if there is a host (A) or host (AAAA) resource record in the zone for the name. In this way, if a host(A) or host (AAAA) resource record exists in the zone because a host has used dynamic update to register itselfwith a blocked name, the DNS Server service does not resolve the name. The initial contents of the block listdepend on whether WPAD or ISATAP are already deployed when you add the DNS Server role to an existingWindows Server 2008 deployment or upgrade an earlier version of Windows Server running the DNS Serverservice. Also, by using the dnscmd command-line tool, you can add or remove entries from the list or turn offenforcement of the block list altogether. All DNS servers that are authoritative for a zone must be running Windows




5/5

Server 2008 and must be configured with the same block list to ensure consistent results when clients query forresolution of names in the block list.

DNS client changes

Although not a direct consequence of changes to DNS for the DNS server role, the Windows Vista and WindowsServer 2008 operating systems introduce additional features to DNS client software, as described in the followingsections.

LLMNR

DNS client computers can use link-local multicast name resolution (LLMNR), also known as multicast DNS ormDNS, to resolve names on a local network segment when a DNS server is not available. For example, if a routerfails, cutting a subnet off from all DNS servers on the network, clients on the subnet that supports LLMNR cancontinue to resolve names on a peer-to-peer basis until the network connection is restored.

In addition to providing name resolution in case of network failure, LLMNR can also be useful in establishing adhoc, peer-to-peer networks, for example, in an airport waiting area.

Changes to the ways in w hich clients locate domain controllers

In unusual circumstances, the way that DNS clients locate domain controllers can have an impact on networkperformance:

The DC Locator component of a client computer running Windows Vista or Windows Server 2008 periodicallysearches for a domain controller in the domain to which it belongs. This functionality helps avoid performance

problems that might occur when a client locates its domain controller during a period of network failure,

thereby associating the client with a distant domain controller located on a slow link. Previously, this

association continued until the client was forced to seek a new domain controller, for example, when the

client computer was disconnected from the network for a long period of time. By periodically renewing its

association with a domain controller, a client can now reduce the probability that it will be associated with an

inappropriate domain controller.

A client computer running Windows Vista or Windows Server 2008 can be configured (programmatically, with

a registry setting, or by Group Policy) to locate the nearest domain controller instead of searching randomly.

This functionality can improve network performance in networks containing domains that exist across slow

links. However, because locating the nearest domain controller can itself have a negative impact on network

performance, this functionality is not enabled by default.

Tags:

Community Content


12/30/2010h // h i f / /lib / 753635(WS 10 i )

dns 2008 operations

Documents