The Cable Guy
DNS Enhancements in Windows Server 2008
Joseph Davies
This article is based on a prerelease version of Windows Server 2008. All information herein is subject to change.
Microsoft has included a Domain Name System (DNS) Server service in versions of Windows Server since Windows NT 4.0. DNS is a hierarchical, distributed database that contains mappings of DNS domain names to various types of data, such as IP addresses. With Windows Server 2008, the DNS Server service includes new
background zone loading, enhancements to support IPv6, support for read-only domain controllers (RODCs), and the ability to host global single-label names.
Background Zone Loading
The DNS Server service in Windows Server® 2008 makes data retrieval faster by implementing background zone loading. In the past, enterprises with zones containing large numbers of records in Active Directory® experienced delays of up to an hour or more when the DNS Server service in Windows Server 2003 tried to retrieve the DNS data from Active Directory on restart. During these delays, the DNS server was unavailable to service DNS client requests for any of its hosted zones.
To address this issue, the DNS Server service in Windows Server 2008 retrieves zone data from Active Directory in the background after it starts so that it can respond to requests for data from other zones. When the service starts, it creates one or more threads of execution to load the zones that are stored in Active Directory. Because there are separate threads for loading the Active Directory-based zones, the DNS Server service can respond to queries while zone loading is in progress. If a DNS client requests data in a zone that has already been loaded, the DNS server responds appropriately. If the request is for data in a zone that has not yet been entirely retrieved, the DNS server retrieves the specific data from Active Directory instead.
This ability to retrieve specific data from Active Directory during zone loading provides an additional advantage over storing zone information in files—namely that the DNS Server service has the ability to respond to requests immediately. When the zone is stored in files, the service must sequentially read through the file until the data is found.
Enhanced Support for IPv6
IPv6, which has been covered in previous editions of this column, is a new suite of Internet standard protocols. IPv6 is designed to address many of the issues of the current version—IPv4—such as address depletion, security, autoconfiguration, and the need for extensibility.
One difference in IPv6 is that its addresses are 128 bits long, while IPv4 addresses are only 32 bits. IPv6 addresses are expressed in colon-hexadecimal notation. Each hexadecimal digit is 4 bits of the IPv6 address. A fully expressed IPv6 address is 32 hexadecimal digits in 8 blocks, separated by colons. An example of a fully expressed IPv6 address is FD91:2ADD:715A:2111:DD48:AB34:D07C:3914.
Forward name resolution for IPv6 addresses uses the IPv6 Host DNS record, known as the AAAA record (pronounced "quad-A"). For reverse name resolution, IPv6 uses the IP6.ARPA domain, and each hexadecimal digit in the 32-digit IPv6 address becomes a separate level in the reverse domain hierarchy in inverse order. For example, the reverse lookup domain name for the address FD91:2ADD:715A:2111:DD48:AB34:D07C:3914 is 4.1.9.3.C.7.0.D.4.3.B.A.8.4.D.D.1.1.1.2.A.5.1.7.D.D.A.2.1.9.D.F.IP6.ARPA.
The DNS Server service in Windows Server 2003 supports forward and reverse name resolution for IPv6; however, the support is not fully integrated. For example, to create an IPv6 address record (the AAAA record we just discussed) in the Windows Server 2003 DNS Manager snap-in, you must right-click the zone, click Other New Records, and then double-click IPv6 Host (AAAA) as the resource record type. To add a AAAA record in the DNS Manager snap-in for Windows Server 2008, right-click the zone name, and then click New Host (A or AAAA). In the New Host dialog box, you can type an IPv4 or IPv6 address. Figure 1 shows an example.
.gif)
Figure 1 New Host dialog box
Another example of better support for IPv6 is for reverse IPv6 zones. To create a reverse lookup zone in the DNS Manager snap-in for Windows Server 2003, you have to manually type the reverse zone name in the Reverse Zone Lookup Name page of the New Zone Wizard. An example of a DNS reverse zone name is 1.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa (for the IPv6 subnet prefix 2001:db8:0:1::/64, fully expressed as 2001:0db8:0000:0001::/64).
IPv6 reverse zones in the DNS Manager snap-in for Windows Server 2008 are now fully integrated into the New Zone wizard. There is a new page of the wizard that prompts you to select an IPv4 reverse lookup zone or an IPv6 reverse lookup zone. For an IPv6 reverse lookup zone, you just need to type the IPv6 subnet prefix and the wizard automatically creates the zone for you. Figure 2 shows an example.
.gif)
Figure 2 Naming an IPv6 reverse lookup zone (Click the image for a larger view)
Another enhancement for reverse zones is the way in which the DNS Manager snap-in displays IPv6 pointer (PTR) records. Figure 3 shows how the DNS Manager snap-in for Windows Server 2003 displays a PTR record.
.gif)
Figure 3 PTR record for IPv6 in Windows Server 2003 (Click the image for a larger view)
Although this display accurately reflects the structure of the DNS namespace for IPv6 reverse domain names, it makes PTR record management for IPv6 addresses more difficult. Figure 4 shows how the DNS Manager snap-in for Windows Server 2008 displays a PTR record.
.gif)
Figure 4 PTR record for IPv6 in Windows Server 2008 (Click the image for a larger view)
The DNS Server service in Windows Server 2003 supports operation over IPv6, but it must be manually enabled with the dnscmd /config /EnableIPv6 1
command. Windows Server 2008, conversely, supports operation over IPv6 by default. The Dnscmd.exe command-line tool has been updated to accept IPv6 addresses in command-line options. Additionally, the DNS Server service can now send recursive queries to IPv6-only servers, and the server forwarder list can contain both IPv4 and IPv6 addresses.
For more information about IPv6 and how it is supported in Windows
®, see
microsoft.com/ipv6.
Read-Only Domain Controller Support
Windows Server 2008 also introduces the RODC, a new type of domain controller that contains a read-only copy of Active Directory information and can perform Active Directory functions but cannot be directly configured. RODCs are less vulnerable to attack and can be placed in locations where the physical security of the domain controller cannot be guaranteed or where the network contains potentially malicious hosts.
For RODCs, the DNS Server service in Windows Server 2008 supports the new primary read-only zone type. When a computer becomes an RODC, it replicates a full read-only copy of all of the application directory partitions that DNS uses, including the domain partition, ForestDNSZones, and DomainDNSZones. This ensures that the DNS Server service running on the RODC has a full read-only copy of any DNS zones stored in the directory partitions of a domain controller that is not an RODC. You can view the contents of a primary read-only zone on an RODC, but you cannot change them. You must change the contents of the zone on a domain controller that is not an RODC.
GlobalNames Zone
Windows Server 2008 and Windows Vista® support the NetBIOS over TCP/IP (NetBT) protocol. NetBT uses NetBIOS names to identify Session-layer NetBIOS applications. Although NetBIOS name resolution with WINS is not required for current versions of Windows that rely on Windows Sockets-based network applications and DNS for name resolution, many Microsoft customers deploy WINS in their networks to support older NetBT applications and to provide name resolution for single-label names across their organizations. Single-label names typically refer to important, well-known, and widely used servers for an organization, such as e-mail servers, central Web servers, or the servers for line-of-business applications.
In order to allow these single-label names to be resolved across an organization using only DNS, you might find it necessary to add A records to the multiple DNS domains of your organization so that a Windows-based DNS client can resolve the name regardless of their assigned DNS domain suffix or suffix search list.
Suppose, for example, that the contoso.com organization has a central Web server named CWEB that is a member of the central.contoso.com domain. To implement a single-label name for the server CWEB when DNS clients can be assigned the DNS domain suffix wcoast.contoso.com, central.contoso.com, or ecoast.contoso.com, the network administrator must create two additional A records for both cweb.wcoast.contoso.com and cweb.ecoast.contoso.com. However, don't forget that manually created A records for single-label names must be maintained for changes in IPv4 address assignment or for new names.
If contoso.com is already using WINS for older NetBT applications, a network administrator can implement name resolution for the single-label name CWEB by adding a single static WINS record to their WINS infrastructure. If the IPv4 address changes, only the single static WINS record needs to be changed. Because single-label names are easier to manage on WINS, many Windows-based networks use static WINS records for single-label names.
To provide a single-label name solution on DNS that's as easily managed as static WINS records, the DNS Server service in Windows Server 2008 supports a new zone called GlobalNames to store single-label names. The replication scope of this zone is typically a forest, which provides single-label name resolution across an entire Active Directory forest. Additionally, the GlobalNames zone can support single-label name resolution throughout an organization that contains multiple forests when you use Service Location (SRV) resource records to publish the location of the GlobalNames zone.
Unlike WINS, the GlobalNames zone is intended to provide single-label name resolution for a limited set of host names, typically the central and critical servers of an organization that are managed by its IT department. The GlobalNames zone is not intended to be used to store the names of desktop computers or other servers whose IPv4 addresses can change, and under no circumstances does it support DNS dynamic updates. It is most commonly used to hold alias (CNAME) resource records to map a single-label name to a Fully Qualified Domain Name (FQDN). For networks that are currently using WINS, the GlobalNames zone usually contains resource records for IT-managed names that are already statically configured in WINS.
The GlobalNames zone provides single-label name resolution only when all authoritative DNS servers are running Windows Server 2008. However, other DNS servers that are not authoritative for any zone can be running older versions of Windows or other operating systems. The GlobalNames zone must be unique in the forest.
To provide maximum performance and scalability, the GlobalNames zone should be integrated with Active Directory and you should configure each authoritative DNS server with a local copy of it. Accomplishing this is required in order to support deployment of the GlobalNames zone across multiple forests.
For more information about DNS support in Windows and about deploying the GlobalNames zone, see the Microsoft DNS Web page at
microsoft.com/dns.
.