Windows Active Directory - DNS

Microsoft has done a good job of making Active Directory easy to set up and manage.

There are a few common configuration mistakes that can cause a lot of problems. Since these problems seem fairly common, this section explains how to deal with them.

Installing Active Directory is easy, almost too easy, because AD will happily let you misconfigure something. When it comes time to actually do something that depends on AD however, your set up better be perfect or you will not be able to set up Exchange or join a client to the domain! The only indication that something is wrong comes from a few (hundred) cryptic event log errors.

Active Directory depends on DNS and time synchronization. If neither of those two components is configured properly, the event logs will scream about it. Luckily, fixing those two things is relatively easy. This section is dedicated to DNS; time synchronization will be dealt with soon in a separate article.

Windows 2000 Active Directory domain controllers must run DNS because you cannot create an Active Directory Integrated zone on a member server. Make sure at least one DC is also running the DNS Server service and is configured with the Active Directory domain zone. This limitation was changed slightly in Windows Server 2003, but it is still recommended that at least one DC run DNS.

DNS Server Properties

Start by opening the DNS Microsoft Management Console and right clicking on the server to open the Properties. Edit the default settings to tune DNS.

1. Interfaces - configure the system to listen on one IP address rather than all IP addresses even if the machine has only one IP.
2. Forwarders - forward all DNS queries not resolved in the local cache to upstream DNS servers, typically the DNS servers provided by the ISP. Using forwarders reduces the load on your server significantly by eliminating the need to go through the challenge/response DNS resolution conversation for every client request.
3. Monitoring - run both tests on the Monitoring tab to ensure that the server is properly resolving queries.

Forward Lookup Zone Properties

Once the general server properties are configured, it is time to configure the properties of the Active Directory Integrated zone to change a few of the default settings.

1. General - set Dynamic Updates to allow nonsecure updates. Without this enabled down-level clients cannot register themselves through Dynamic DNS.
2. Start of Authority - configure the Primary Server and Responsible Person information with the FQDN of the server and a valid e-mail address of an administrator.
3. Name Servers - this value should be automatically updated as other servers are promoted to domain controllers with DNS enabled. However, this tab is useful for adding non-Windows systems that need to share DNS services.
4. WINS - ideally, WINS is no longer in use on the network, but if it is, provide the IP address of one or more WINS servers preferably on the local subnet.
5. Zone Transfer - only allow zone transfers to servers listed on the Name Servers tab. Verify that Automatic Notify is turned on in the Notify properties.
6. Security - do not change anything, do not even look at it, pretend it is not there, just stay away from the security settings.

Reverse Lookup Zone Properties

If you are reading this and thinking, "What reverse lookup zone?" this is going to come as a shock. Forward lookup zones are important for clients looking up server resource records and resolving host names to IP addresses. You should have one reverse lookup zone for each subnet that contains objects that exist in Active Directory. This is simple for single-site domains, more labor intensive for distributed networks. Reverse lookup zones are just as important, if not more so, because reverse lookup zones help clients identify which site they are in, which DNS servers are closest to them, and what host names correspond to IP addresses. Without a properly configured reverse lookup zone(s), clients cannot process group policy, connect to the correct domain controllers, etc.

Once that has been completed, edit the properties of the reverse lookup zone(s) to match the settings of the forward lookup zone(s) per the above instructions.

DNS With a Single Domain Controller

First, why do you only have one domain controller? There is no reason not to have a second DC. Server hardware is cheap these days and being able to authenticate users while the first DC is rebooting during your scheduled patch maintenance is a valuable benefit. Also, having two DC's eliminates the need for the following fixes, assuming the DC's are configured correctly.

The biggest issue for Active Directory with a lone DC is that dynamic registration of DNS records will consistently fail. DC's use the Netlogon service to register themselves in AD; when the Netlogon service starts, the DC will try to register with a DDNS server. Unfortunately the Netlogon service starts before the DNS Server service does. Trying to correct this problem by adjusting dependencies in the Services applet will only cause more problems.

Overcome this limitation by configuring Group Policy to run this script at startup on the domain controller. The script waits a minute after boot, then restarts the Netlogon service in order to properly register itself in DNS. You can adjust the timing as needed by simply editing the script. However, the script will not work unless the domain controller is configured with itself as the only DNS server in the NIC properties. Resolving outside hosts is done through the forwarders configured in the DNS Server service properties.

Obviously, all clients that connect to the domain must use the domain controller as their only DNS server for dynamic name registration and Active Directory lookups work properly. Never assign a domain client outside DNS servers because this will only cause problems if the domain controller is unavailable.

DNS With More Than One Domain Controller

Having more than one domain controller is a recommended practice. That effort would be for nothing if the DC's are not aware of each other; therefore, each DC must be configured to use another DC as their primary DNS server so dynamic registration of records will work properly. Environments with multiple DC's that refer only to themselves for DNS services cannot resolve the IP addresses of the other DC's, breaking zone transfers and Active Directory replication.

The main consideration in such an environment is staggering the reboot of the domain controllers so one system is always available with DNS services for the other DC's to register their name and resource records. Second, make sure that all the servers hosting the AD DNS zone(s) are listed on the Name Servers tab in both the forward and reverse lookup zones so zone transfers will work properly.

As with a single domain controller, all clients that connect to the domain must use the domain controllers as their only DNS servers for dynamic name registration and Active Directory lookups work properly. Never assign a domain client outside DNS servers because this will only cause problems if the domain controllers are unavailable.