Planning DNS Server Deployment

To plan DNS server deployment for support of your Active Directory domains, you must identify the DNS servers that will be authoritative for your domain names, and ensure that they meet the requirements of the domain controller locator system.

Authority and Delegation in DNS

The Domain Name System is a hierarchical, distributed database. The database itself consists of resource records which primarily consist of a DNS name, a record type, and data values that are associated with that record type. For example, the most common records in the DNS database are Address (A) records, where the name of an Address record is the name of a computer, and the data in the record is the TCP/IP address of that computer.

Like Active Directory, the DNS database is divided into partitions that enable the database to scale efficiently even on very large networks. A partition of the DNS database is called a zone. A zone contains the records for a contiguous set of DNS names. A DNS server that loads a zone is said to be authoritative for the names in that zone.

A zone begins at a specified name and ends at a delegation point. A delegation point indicates where one zone ends and another zone begins. For example, there is a registration authority on the Internet that is responsible for the zone called "com." Inside this zone are thousands of delegation points to other zones, for example, The data in a delegation point indicates which servers are authoritative for the delegated zone. Figure 9.10 shows the relationship among DNS servers, zones, and delegations.


Figure 9.10 Servers, Zones, and Delegations in DNS

Domain Controller Locator System

Domain controllers register a set of records in DNS. These records are collectively called the locator records. When a client requires a particular service from a domain, it sends a query for a specific name and type of record to the nearest DNS server. The answer is a list of domain controllers that can satisfy the request.

The names of the locator records for each domain end in < DNS-domain-name > and <DNS-forest-name> . The DNS servers that are authoritative for each < DNS-domain-name > are authoritative for the locator records.

note-icon Note

Windows 2000 does not require reverse lookup zones to be configured. Reverse lookup zones might be necessary for other applications, or for administrative convenience.

DNS Server Requirements

If you do not already have DNS servers running on your network, it is recommended that you deploy the DNS service that is provided with Windows 2000 Server. If you have existing DNS servers, then the servers that are authoritative for the locator records must meet the following requirements to support Active Directory:

  • Must support the Service Location resource record.
    The DNS servers that are authoritative for the locator records must support the Service Location (SRV) resource record type. For more information about the SRV record, see "Introduction to DNS" in the TCP/IP Core Networking Guide .

  • Should support the DNS dynamic update protocol.
    The DNS servers that are authoritative for the locator records and are the primary master servers for those zones should support the DNS dynamic update protocol as defined in RFC 2136.

The DNS service provided with Windows 2000 Server meets both these requirements and also offers two important additional features:

  • Active Directory integration
    Using this feature, the Windows 2000 DNS service stores zone data in the directory. This makes DNS replication create multiple masters, and it allows any DNS server to accept updates for a directory service–integrated zone. Using Active Directory integration also reduces the need to maintain a separate DNS zone transfer replication topology.

  • Secure dynamic updateB>
    Secure dynamic update is integrated with Windows security. It allows an administrator to precisely control which computers can update which names, and it prevents unauthorized computers from obtaining existing names from DNS.

The remaining DNS servers on your network that are not authoritative for the locator records do not need to meet these requirements. Servers that are not authoritative are generally able to answer SRV record queries even if they do not explicitly support that record type.

Locate Authoritative Servers

For each DNS name you choose, consult your DNS management team and find out if the DNS server supports the listed requirements. If you find one that does not, there are three basic courses of action that you can take:

Upgrade the server to a version that supports the requirements.

If the authoritative servers are running the Windows NT 4.0 DNS service, simply upgrade those servers to Windows 2000. For other DNS server implementations, consult the vendor's documentation to find out which version supports the features necessary to support Active Directory.

If the authoritative DNS servers are not under your control, and you cannot persuade the owners of those servers to upgrade, you can use one of the other options.

Migrate the zone to Windows 2000 DNS.

You can migrate the zone from the authoritative servers to Windows 2000 DNS instead of upgrading those servers to a version that supports Active Directory requirements. Migrating a zone to Windows 2000 DNS is a straightforward process. Introduce one or more Windows 2000 DNS servers as secondary servers for the zone. After you are comfortable with the performance and manageability of the servers, convert the zone on one of the servers to be the primary copy, and rearrange the DNS zone transfer topology as necessary.

Delegate the name to a DNS server that meets the requirements.

If upgrading and migrating authoritative servers are not suitable options, you can change the authoritative servers by delegating the domain name to Windows 2000 DNS servers. How this is done depends on the relationship of the domain name to the existing zone structure.

  • If the domain name is not the same as the name of the root of a zone, the name can be delegated directly to Windows 2000 DNS servers. For example, if the name of the domain is and the zone that contains this name is, delegate to a Windows 2000 DNS server.

  • If the domain name is the same as the name of the root of a zone, you cannot delegate the name directly to a Windows 2000 DNS server. Instead, delegate each of the subdomains used by the locator records to a Windows 2000 DNS server. Those subdomains are: _msdcs.< DNS-domain-name >, _sites.< DNS - domain-name >, _tcp.< DNS-domain-name >, and _udp.< DNS-domain-name >. If you do this, you will have to register the < DNS-domain-name > address (A) records by hand. For more information about this topic, see "Windows 2000 DNS" in the TCP/IP Core Networking Guide .