skip to content

IT Help and Support

University Information Services
 

Version information

These pages deal with the configuration of DNS for use with Active Directory within the UDN. It is assumed you are already familiar with DNS/Active Directory. The information here applies to all current versions of Windows Server.

If you are going to use BIND rather than the Windows DNS you can find information on configuring BIND to work with Active Directory at http://technet.microsoft.com/en-gb/library/dd316373.aspx

Creating required zones

In order for Active Directory to function correctly certain Service Location (SRV) records must exist in your DNS. Our current configuration advice is to create a single primary zone for your domain. If you are changing your DNS to use a single primary zone from a previous configuration of the underscore zones and Directory partition zones there is no reason to change your existing Domain name or structure. If you are creating a new Domain, or are planning on migrating to a new Domain, we suggest the name should be in the form of

"ad.institutionaldnsdomainname.cam.ac.uk".

The ad part is an optional choice but does make it clear that it is an Active Directory in your institution.

As an alternative you could use the ad.cam.ac.uk Domain rather than your own. This removes the burden of running and maintaining an Actve Directory and will allow your internal namespace to be resolvable anywhere on the UDN. This can facilitate the movement of Domain based computers from your Domain around the UDN.

You should avoid the use of .local as a name, which unfortunately is often still recommended in some Microsoft documentation. The reason for this is that local can cause conflicts with UPNP, Bonjour and Multicast DNS.

The primary zone solution

The simple way to support SRV records is to create a single primary forward and reverse lookup zone for your Domain (whatever the current name is) and set it to allow dynamic updates. With all your systems using your DNS servers only (Do not use any other DNS server in client or sever IP configuration settings) all DNS requests will either be resolved locally for your Domain or forwarded to the UCS recursive name servers.

It is important to remember that you need to maintain records in your DNS for anything that has the same DNS Domain name but which does not automatically register records in your DNS. This may be A records as well as CNAMES. This is very important to remember where you are maintaining an insititutional-name.cam.ac.uk domain name where you expect internal clients to connect to external facing servers which do not automatically register records in DNS.

 

Use of forwarders to the recursive name servers

Assuming that you will be following our advice to use a single primary zone for your Domain you will need to use forwarders for name resolution outside of your Domain.

  • Right click on your server object in a DNS MMC and display the properties.
  • In the forwarders tab add the recursive name servers.

The recursive name servers are 131.111.8.42 and 131.111.12.20. These will display as resolving to recdns0.csx.cam.ac.uk and recdns1.csx.cam.ac.uk respectively.

Reverse lookup zones

You should make sure that your hosts are available via a reverse lookup. To make sure this happens you have 3 choices;

1) Create a reverse lookup zone as a primary zone for your IP ranges, make sure all systems in your network use and are registered correctly in your DNS.

3) Establish forwarders.

If no reverse zone exits DNS will pass the request on using forwarders. As long as your systems are correctly registered with IP register then your reverse lookups will succeed, but may resolve to a different name.

Valid DNS names

Whatever Domain Name you choose you must comply with the DNS naming rules which are:

Valid DNS name characters

The following characters may be used to construct a DNS name.

  • A-Z
  • a-z
  • 0-9
  • - (a hyphen or dash)

No underscores or other characters are allowed.

NetBIOS names

A system's NetBIOS name will be it's DNS host name by default. You should keep it this way in most circumstances.

NetBIOS names do not follow the same rules as DNS names - you can have invalid DNS characters in a NetBIOS name.

Although the characters listed below are valid characters allowed in NetBIOS names they should not be used as they are not allowed in DNS names;

! @ # $ % ^ & ( ) _ ' { } . ~

These should be removed from your naming schemes.

Known issues, hints and tips

Always configure your DNS before running DCPROMO. If you allow the DCPROMO wizard to configure your DNS it will do it wrong and you will end up having to re-configure.

We have noticed on a number of occasions issues with the _msdcs being created outside of your primary zone as a primary and a greyed out (delegated) _msdcs zone is created inside your primary domain zone. Simply delete both _msdcs zones and re-start netlogon on your DCs to re-register SRV records.

Server 2008 and later change your server IP settings to use local host (127.0.0.1) as the primary DNS server automatically when you first install a new Domain and DNS. With a single DNS server this is fine but with you should avoid using this configuration with multiple DNS servers, especially with Active Directory Integrated zones. Always change the DNS servers to the IP Address of your DNS Servers. You should also point your DC's to use the DNS of antoher DC as its primary to ensure that DNS is available when a system re-starts.

You must have reverse lookup zones for your Domain. You can create these as primary's for IP ranges that you are using. In most cases create a reverse lookup zone for the first three IP blocks in your IPv4 address, e.g. if you use 172.28.15.x you would need a reverse zone of 15.28.172.in-addr.arpa.

For purposes of name resolution there are no differences between the R2 and non R2 versions of Windows server. You can use either and mix versions in your Domain.

Additional information and troubleshooting

Multiple subnet issues

Some older Microsoft and third party software and services still require that the NetBIOS is available. This could be a problem for name resolution with networks using more than one IP subnet where a DC is not available on all subnets. The simple solution is to run a DC on all your subnets with a global catalog or a WINS server on your network.

Active Directory Integrated DNS

Active Directory Integrated DNS provides the most secure and robust provision of DNS for your AD Domain. The benefit of AD Integrated is that only secure updates are allowed, i.e. clients have to be Domain members to register records. With AD integrated zones DNS information is passed between servers by Directory replication as part of the normal replication process. If you are using AD Integrated zones then every DC should have DNS installed on it to get the benefits of security and replication.

Client and server DNS settings

Your clients and servers only need to use your DNS servers, you should have at least 2. You do not need to use the central DNS servers in your IP settings on any of your clients.

Name resolution issues

In environments where subsets of clients use different DNS, AD for Windows and central for other, you need to make sure that your clients have all the required search paths in their configuration.

In the TCP/IP settings of a client select the Advanced properties and then the DNS tab.

Select the option Append these DNS suffixes (in order): and enter in;

  • institutional-domain-name.cam.ac.uk
  • institutional-domain-name.private.cam.ac.uk

You do need to be careful about name selection in these scenarios as duplicate names are possible and depending on the search order you may find clients resolve to the wrong host name.

Zone transfers

If you enable Zone Transfers by default they will be enabled to any server which requests them. While this is unlikely to be an issue you may wish to restrict zone transfers only to your own name servers. To do this select the Properties of a zone and then select the Zone Transfers tab. Here you can specify either only to servers listed in the Name Servers tab or to a list of servers.

Second DNS server

It is advisable to have a second DNS server on your network for fault tolerance. For preference use Active Directory Integrated. If you do not AD integrate you need to configure the second DNS to slave your zones from the first server which has DNS. Slave the zones from this first server as SECONDARY zones.