Configuring Non-Windows 2000 DNS Servers to Support Active Directory

  • Article

For the domain controller locator to work properly, the primary DNS server that is authoritative for the names that are to be registered by the Netlogon service on the domain controller, must support the service location resource record (SRV RR). The SRV resource record is specified in the IETF Internet-Draft "A DNS RR for specifying the location of services (DNS SRV)." Other DNS servers that are authoritative for the domain must also support SRV records.

In addition, you can simplify administration by making sure that the DNS servers that are authoritative for the names that Netlogon registers support the dynamic update protocol, as described in RFC 2136. You can use as the primary master for the domain name a DNS server that does not support dynamic update. However, this is not recommended, because you will need to manually update the primary zone when you configure Active Directory. For information about how to configure and verify the DNS records that are used to support Active Directory, see "Verifying Your Basic DNS Configuration" later in this chapter.

If you are using a DNS server that does not support the IETF Internet-Draft "A DNS RR for specifying the location of services (DNS SRV)," you must upgrade your DNS server or add a DNS server that does supports those standards. The server supporting those standards must be the primary DNS server that is authoritative for the DNS names that will be registered by the Netlogon service on the domain controller. You must then perform special configuration on both DNS servers.

This section explains which DNS servers can be used to support Active Directory and how to configure DNS and Active Directory when you are using servers that cannot support Active Directory.

If you are using a DNS service other than the Windows 2000 DNS service, it is a good idea to test it for compatibility with Active Directory and DHCP.

Using Non-Microsoft DNS Servers to Support Active Directory

The following servers support SRV records:

  • Windows 2000

  • Windows NT 4.0 Service Pack 4 and later

  • BIND 4.9.6 and later

The following servers support dynamic update:

  • Windows 2000

  • BIND 8

If you use a third-party server, however, you cannot use the DNS console or Dnscmd.exe, Active Directory integration, secure dynamic update, aging and scavenging of stale records, or remote administration.

Also, it is a good idea to verify your DNS configuration after you install Active Directory.

The DNS database must include locator resource records (SRV, CNAME, and A) to support each domain controller.

Using the Name of a Delegated Zone as an Active Directory Domain Name

If your organization already has a DNS domain (for example, reskit.com), and the primary DNS server that is authoritative for that domain does not support RFC 2136 and the IETF Internet-Draft "A DNS RR for specifying the location of services (DNS SRV)" — and you cannot upgrade the server to a server that does — you can still create an Active Directory domain. To provide DNS support for an Active Directory domain in such a situation, delegate a subdomain (for example, child.reskit.com) from your first DNS server to a second DNS server that does support these standards. Next, make that second DNS server authoritative for the subdomain, and create an Active Directory domain that has the same name as the DNS subdomain. Figure 6.25 shows an example of implementing the Windows 2000 DNS server and making it authoritative for a delegated subdomain.

Cc959323.CNCF02(en-us,TechNet.10).gif

Figure 6.25 Implementing a Windows 2000 DNS Server to Support a Delegated Subdomain

In this example, the primary name server for reskit.com, NoSRV.reskit.com, does not support SRV records and, therefore, cannot be used to support Active Directory. Because of this, the administrator of NoSRV.reskit.com delegated the subdomain child.reskit.com to a Windows 2000 DNS server. The Windows 2000 DNS server provides the same capabilities for this zone as for any other zone. For example, it can be stored in Active Directory, as described in "Active Directory Integration and Multimaster Replication" earlier in this chapter.

Using the Existing Zone Name as the Active Directory Domain Name

If your organization already has a DNS domain (for example, reskit.com), and the DNS server that is authoritative for that domain does not support RFC 2136 and the IETF Internet-Draft "A DNS RR for specifying the location of services (DNS SRV)," and you cannot upgrade the server, you can still implement Active Directory with the name of the existing DNS zone. To implement Active Directory, add another DNS server that does support those standards and delegate certain zones to this server.

On the DNS server that does not support SRV records and dynamic update, delegate the following zones to the DNS server that does:

  • _tcp.< Active Directory domain name >

  • _udp.< Active Directory domain name >

  • _msdcs.< Active Directory domain name >

  • _sites. < Active Directory domain name >

On the DNS server that does support these features, create and then enable dynamic update on each of the zones in the preceding list. The domain controllers dynamically update the appropriate records in these zones.

Figure 6.26 illustrates this configuration for the example domain reskit.com:

Cc959323.CNCF22(en-us,TechNet.10).gif

Figure 6.26 Delegating Zones to a DNS Server That Can Support Active Directory

The Netlogon service sends dynamic updates to the delegated zones. By default, the Netlogon service attempts a dynamic update of an A resource record that contains an owner name that is the same name as the Active Directory domain name. An owner name is the name of the node to which the resource record pertains. In this example, Netlogon fails the dynamic update; this causes an error message to appear in Event Viewer that says a dynamic update failed. To prevent Netlogon from registering A resource records, add the entry RegisterDnsARecords to the registry in the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services \NetLogon\Parameters

Set the value of RegisterDnsARecords to 0x0 (DWORD).

caution-icon

Caution

Do not use a registry editor to edit the registry directly unless you have no alternative. The registry editors bypass the standard safeguards provided by administrative tools. These safeguards prevent you from entering conflicting settings or settings that are likely to degrade performance or damage your system. Editing the registry directly can have serious, unexpected consequences that can prevent the system from starting and require that you reinstall Windows 2000. To configure or customize Windows 2000, use the programs in Control Panel or Microsoft Management Console (MMC) whenever possible.