Windows 2000 Domain Name System (DNS)

  • Article
Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Overview

Abstract

This overview focuses on Microsoft® Windows® 2000 Domain Name System (DNS), an implementation designed to streamline server administration and simplify DNS management. Business networks—whether providing back office services, intranet-based informational services, or Internet-based e-commerce—can benefit from many new technologies, features, and integrated technologies that constitute Windows 2000 DNS services.

Windows 2000 DNS server is designed to interoperate with Windows 2000 networking services and Active Directory. This integration of core networking services and standards based technologies enhances network reliability, facilitates network administration, and empowers a collaborative computing environment. The new, compelling benefits and features of Windows 2000 DNS include improved scalability through secure dynamic updates, greater performance and data accuracy using automated aging and scavenging features, easier identification and management of network resources across different systems through Unicode character support, and new administrative tools that simplify network administration.

On This Page

Introduction
Business Benefits Of Windows 2000 DNS
Internet Standards Supported by Windows 2000 DNS
Summary
For More Information

Introduction

Microsoft® is committed to reliable network interoperability. To this end, the Windows® 2000 operating system supports different legacy network naming solutions as well as complying with the latest proposed RFC standards driven by the Internet Engineering Task Force (IETF).

Though Windows 2000 DNS is optimized to support the Windows 2000 operating system, it is also capable of servicing UNIX-based systems. For this reason, it is the recommended DNS server for enhancing the management of heterogeneous environments, or for any networked organization with a significant investment in a Windows-based network or extranet partners with Windows-based systems*.*

In order to deploy Active Directory™ service, the Domain Name System (DNS) is required to support the Active Directory namespace. The DNS servers used must support SRV records, as described in an Internet Draft "A DNS RR for specifying the location of services (DNS SRV)." Also, it is recommended that they support dynamic update (RFC 2136).

The Windows 2000 implementation of DNS server is designed to interoperate with, and take full advantage of, Active Directory. Conventional DNS servers use single-master replication, but Windows 2000 DNS can take advantage of Windows 2000 Active Directory service, which has a multimaster replication engine. In this way, network managers can centralize and simplify system administration and overall system management by not having to maintain a separate replication topology for DNS. Integration with Active Directory, coupled with new features and enhancements to the core Windows 2000 DNS services, provides greater reliability and improved network administration. This paper is aimed at Information Technology (IT) managers who wish to better understand how these benefits can be realized through the deployment of Windows 2000 DNS services.

Windows 2000 DNS Services: New Features and Enhancements

This section summarizes the benefits of the technology enhancements and new features of Windows 2000 DNS server.

  • Integrated with Active Directory. By integrating with Active Directory and taking advantage of multimaster replication services, the Windows DNS services remove the need for a secondary DNS server and mitigate reliability issues by eliminating single point of failure for updates. This results in a more available, more reliable network for your business.

  • Secure dynamic update. Secure dynamic update preserves the ownership of the DNS records registered by clients supporting dynamic updates. When a name is created in a DNS database protected by secure dynamic update, then the entity—such as a computer, an application, or a service—that created the record becomes an exclusive owner for that record. This increases security by preventing any other client, including malicious attackers, from deleting or modifying the records with that name. This feature, for example, will impede an attacker trying to modify the A (Host) record by replacing the server's IP address with the IP address of the attacker's computer and redirecting the traffic to their computer.

  • Aging and scavenging feature. This feature prevents accumulation of stale records in the DNS database (which may affect the performance and validity of the information stored in DNS records) and efficiently releases unused names. This advantage can decrease the number of technical supports calls.

  • Unicode character support. While conventional DNS server implementations limit allowed characters to the set described in RFC 1123, this implementation of DNS accommodates a wider range of characters—including the UTF-8 character encoding (RFC 2044), a superset of ASCII and a translation of the UCS-2 (or Unicode) character encoding. This saves administrators the chore of renaming devices using a non-strict set of characters on a machine-by-machine basis.

  • New administrative tools. The new tools include DNS console snap-in, Windows Management Instrumentation DNS provider (available in Resource Kit), and the DNS server command-line tool (Dnscmd.exe). These tools serve to simplify and automate administration.

Business Benefits Of Windows 2000 DNS

This section discusses the benefits of the Windows 2000 DNS server features and enhancements.

Integration with Active Directory

In addition to supporting a conventional way of maintaining and replicating DNS zone files, a Windows 2000 DNS server has the option of using Active Directory service as the data storage and replication engine. This approach provides the following benefits:

  • DNS replication will be performed by Active Directory service, so there is no need to support a separate replication topology for DNS servers.

  • Active Directory service replication is secure.

  • A primary DNS server is eliminated as a single point of failure for updates. Original DNS replication is single-master; it relies on a primary DNS server to update all the secondary servers. Unlike original DNS replication, Active Directory service replication is multimaster; an update can be made to any domain controller on which DNS server is running, and the change will propagate to other domain controllers. When DNS zone is integrated into Active Directory service in this way, the replication engine always synchronizes the DNS zone information.

Thus, Active Directory service integration significantly simplifies the administration of a DNS namespace. At the same time, standard zone transfer to other servers—including non-Windows 2000 DNS servers and previous versions of DNS servers—is supported.

Aging and Scavenging

Windows 2000 DNS servers support aging and scavenging features. These features provide the mechanism for removing stale resource records that can accumulate in zone data over time.

Having many stale resource records can present problems. Stale resource records take up space on the server and increase time to load the zone data. As a result, DNS server performance suffers. Moreover, a server might use a stale resource record to answer queries addressed to the server, which could cause clients to experience name resolution problems on the network.

To solve these problems, the Windows 2000 DNS server can scavenge stale records; that is, it can search the database for records that have aged and delete them. Administrators can control aging and scavenging by specifying which servers can scavenge zones, which zones can be scavenged, and which records must be scavenged if they become stale.

The DNS server uses an algorithm that ensures that it does not accidentally scavenge the records that must remain, provided that all the parameters are correctly configured.

Administrative Tools

Three new or enhanced tools in Windows 2000 DNS services are described in this section, including DNS console, the WMI provider, and the DNS server command-line tool. These tools serve to simplify DNS server administration and free up time for other tasks.

DNS Console

The Windows 2000 DNS server introduces an enhanced DNS management tool as a Microsoft Manager Console snap-in called the DNS console. It provides all the functionality necessary to administer DNS server, its zones, security, and so forth.

The DNS console features that deserve attention are:

  • The Configure New Server wizard, which you can use to accomplish gathering root hints during a new DNS server configuration.

  • The filtering capability, a feature useful for the servers and zones containing a large number of zones and records, respectively.

  • The new security capability, which allows specification of the secondary servers that are to be notified of changes on the master zone, as well as specification of the sets of servers to be sent the updated zone information. The new security capability also allows modification of the access control lists (ACLs) for the directory service-integrated zones and entries in such zones.

WMI Support for DNS Server Administration

The Windows Management Instrumentation (WMI) is the Microsoft implementation of Web-Based Enterprise Management (WBEM), an initiative based on standard technologies to access and manage information in enterprise computing environments. WMI provides a uniform model through which management data from any source can be managed in a standard way. Included in the WMI SDK is the WDM provider, which is a set of extensions to the Windows Driver Model (WDM) that provides an operating system interface through which hardware components can provide information and notification of events. WMI simplifies the instrumentation of various drivers and applications written for the Windows operating system, provides detailed and extensible information that is consistent across different vendors' products, and allows for consistent access to Windows instrumentation from non-Windows-based environments.

Among other services, WMI supports the monitoring and management of the DNS servers, zones, and records. It allows enlisting and modification of the DNS servers and zones parameters, enumeration of the zones and resource records, update of the resource records, creation and deletion of the new zones and numerous other features. WMI allows an administrator to write an automated application to manage the DNS objects. The WMI method provider enables these applications to invoke methods that are defined on the DNS server.

DNS Server Troubleshooting Tool (Dnscmd.exe)

DNScmd.exe is a command-line tool designed to assist local and remote administration of the DNS environment.

DNScmd allows the administrator to view the configuration parameters of DNS servers, zones, and resource records. In addition, DNScmd can be used to manually modify these properties, to create and delete zones and resource records, and to force replication events between DNS server physical memory and DNS databases and datafiles.

Note: DNScmd enhances the functionality of, and replaces, Dnsstat.exe, a tool included in versions of the Windows NT Resource Kit.

Unicode Character Support

Original DNS names are restricted to the character set specified in RFC 1123 and RFC 952. It includes the characters A-Z, a-z, the digits 0-9, and hyphen. In addition, the first character of the DNS name can be a number (to accommodate the needs of companies like 3Com or 3M).

NetBIOS names are restricted to a much broader character set than the DNS names. The difference in the character sets used by the two name services could be an issue during upgrade from NetBIOS names (in Windows NT 4.0) to DNS names (in Windows 2000).

One solution to the problem is to rename NetBIOS names to DNS names so that they adhere to existing DNS naming standards. This is a time consuming process, which in many cases will not be possible.

The Clarification to DNS specification (RFC 2181) enlarges the character set allowed in DNS names. It specifies that a DNS label can be any binary string, and it does not necessarily have to be interpreted as ASCII. Based on this definition, Microsoft has proposed that DNS name specification be readjusted to accommodate a larger character set—the UTF-8 character encoding (RFC 2044) set, a superset of ASCII and a translation of the UCS-2 (or Unicode) character encoding. The Windows 2000 DNS is designed to support UTF-8 character encoding.

The UTF-8 character set includes characters from most of the world's written languages, allowing a far greater range of possible names and allowing names to use characters that are relevant to a particular locality. It solves the issue of transition from NetBIOS names (Windows NT 4.0) to DNS names (Windows 2000).

Internet Standards Supported by Windows 2000 DNS

Microsoft is committed to supporting Internet standards, and has used the following in the development of the Windows 2000 DNS server implementation:

RFCs:

  • 1034 Domain Names-Concepts and Facilities

  • 1035 Domain Names-Implementation and Specification

  • 1123 Requirements for Internet Hosts-Application and Support

  • 1886 DNS Extensions to Support IP Version 6

  • 1995 Incremental Zone Transfer in DNS

  • 1996 A Mechanism for Prompt DNS Notification of Zone Changes

  • 2136 Dynamic Updates in the Domain Name System (DNS UPDATE)

  • 2181 Clarifications to the DNS Specification

  • 2308 Negative Caching of DNS Queries (DNS NCACHE)

Drafts:

  • Draft-ietf-dnsind-rfc2052bis-04.txt (A DNS RR for Specifying the Location of Services [DNS SRV])

  • Draft-skwan-utf8-dns-02.txt (Using the UTF-8 Character Set in the Domain Name System)

  • Draft-ietf-dhc-dhcp-dns-08.txt (Interaction between DHCP and DNS)

  • Draft-ietf-dnsind-tsig-11.txt (Secret Key Transaction Signatures for DNS [TSIG])

  • Draft-ietf-dnsind-tkey-00.txt (Secret Key Establishment for DNS [TKEY RR])

  • Draft-skwan-gss-tsig-04.txt (GSS Algorithm for TSIG [GSS-TSIG])

  • Draft-levone-dns-wins-lookup-00.txt (WINS Lookup by DNS server (WINS-Lookup))

For more information on these documents, visit the IETF web site (https://www.ietf.org/).

Summary

Microsoft Windows 2000 DNS is designed to streamline server administration and simplify DNS management. Business networks—whether related to back office, e-commerce, intranet, or Internet—can benefit from many new technologies, features and integrated services enhanced by Windows 2000 DNS servers.

The Windows 2000 implementation of DNS was designed to easily interoperate with, and fully take advantage of, Active Directory. As well, new features and enhancements to Windows 2000 DNS services add to naming service reliability and to quicker and simpler administration, including the following:

  • Integrated with Active Directory. This results in a more available, more reliable network for your business.

  • Secure dynamic update. This increases security and impedes attackers from spoofing names of other servers.

  • Aging and scavenging feature. This feature prevents accumulation of stale records, which results in decreased performance and lower validity of information. An added advantage is a decreased number of technical support calls.

  • Unicode character support. This implementation of DNS accommodates a larger character set. The advantage is that administrators can avoid the time-consuming chore of renaming devices that use a non-strict set of characters on a machine-by-machine basis.

  • New administrative tools. These tools serve to simplify and automate administration.

For More Information

For more information on Windows 2000 DNS services, see the white paper, "Windows 2000 DNS," in Microsoft TechNet.

To gain a better understanding of Active Directory service, and how it interoperates with applications and DNS services, see the article, "Active Directory Architecture," in Microsoft TechNet.

You can find full product information, including upgrading, technical white papers, feature and tool descriptions, and pricing and licensing at the Microsoft Windows 2000 web site (https://www.microsoft.com/windows/).