Appendix G: Configuring DNS for a Heterogeneous UNIX and Windows Environment
Before you can proceed with implementing your security and directory solutions using Microsoft® Windows Server™ 2003 and Active Directory®, you must first have a functional Domain Name System (DNS). DNS is required for the following reasons:
DNS is a prerequisite for Active Directory.Active Directory cannot be installed or configured without DNS. Domain names are used to reference the root of each Active Directory domain tree. DNS is also used by computers in the domain to find key y services, such as the domain controllers, Kerberos services, Lightweight Directory Access Protocol (LDAP) services, and global catalog servers.
Kerberos 5 uses DNS to locate Kerberos domain controllers. In a Windows Server 2003 Kerberos environment, Windows clients use DNS to locate the Kerberos domain controllers. Some UNIX clients are also capable of locating the Kerberos domain controllers using DNS.
LDAP requires DNS to find the rootDSC. LDAP clients and servers use DNS to find the root of the LDAP directory (rootDSC). They can also use DNS SRV records to locate LDAP services for a domain.
The following section addresses the most common DNS scenarios found in a heterogeneous UNIX and Windows environment.
Note Before designing and implementing your DNS infrastructure, Microsoft recommends that you read the "Deploying DNS" section from the Windows Server 2003 Deployment Guide (formerly called the Windows Server 2003 Deployment Kit) at https://www.microsoft.com/technet/prodtechnol/windowsserver2003/proddocs/deployguide/DNSBD_DNS_OVERVIEW.asp.
.gif)
On This Page
.gif){kind=icon}
DNS Scenarios in a Heterogeneous Environment
DNS Configuration Issues for Windows Server 2003-based Security and Directory Solutions
Configuring Windows Server 2003-based DNS to Use Round Robin for Load Balancing
DNS Scenarios in a Heterogeneous Environment
A range of possible scenarios exist for providing a DNS service in a heterogeneous environment. These scenarios include:
Use only Windows Server 2003-based DNS servers. In this scenario, DNS services are provided exclusively by Windows Server 2003-based DNS servers. Active Directory, all Windows-based computers, and all UNIX-based computers use Windows Server 2003-based DNS servers for name resolution. Existing DNS servers are migrated to Windows Server 2003 DNS.
Use only BIND-based DNS servers. In this scenario, DNS services are provided exclusively by UNIX BIND servers. Active Directory, all Windows-based computers, and all UNIX-based computers use BIND DNS servers for name resolution. When using UNIX BIND servers for DNS, you can choose to enable or disable dynamic updates. These two options are described here:
Use BIND-based DNS servers with dynamic updates enabled. Configuring dynamic updates is permitted for a restricted set of computers, including the Windows Server 2003-based Dynamic Host Configuration Protocol (DHCP) server and domain controllers.
Use BIND-based DNS servers without dynamic updates enabled. In this model, the DNS resource records that normally would have been created automatically by computers that are members of the Active Directory domain are instead entered manually into a static name server.
Use a combination of Windows Server 2003-based DNS servers and BIND-based DNS servers.
Mixed Windows Server 2003-based DNS and BIND-based DNS servers serving the same domain. In this scenario, Windows Server 2003-based DNS servers are installed into the same domain as the existing UNIX BIND-based DNS servers. Active Directory is set up to use the same root domain name as the organization's domain name. The BIND-based DNS servers retain primary control of the organization's domain name and reverse lookup zones. The Windows Server 2003-based DNS server acts as a secondary server.
Windows Server 2003-based DNS implemented in a subdomain. In this scenario, all Windows-based computers are placed into a subdomain under the organization's domain name. The zone data of the organization's domain name is held on BIND-based DNS servers.
The details of configuring DNS in each of these scenarios are beyond the scope of this guide. However, DNS configuration for each of these scenarios is extensively covered in other documents. Table G.1 directs you toward the documents you should read when configuring your DNS infrastructure.
Table G.1. DNS Resources and References
DNS Scenario |
References |
|---|---|
General background reading |
"Deploying DNS" section from the Windows Server 2003 Deployment Guide at BIND 9 Administrator Reference Manual at https://www.isc.org/products/BIND/ DNS and BIND (Albitz and Liu, 2001) DNS on Windows 2000 (Larson and Liu, 2001) |
Use only Windows Server 2003-based DNS servers |
Domain Name System (DNS) Center Knowledge Base Articles at https://www.microsoft.com/windows2000/technologies/communications/dns/dnskbs.asp HOW TO: Migrate an Existing DNS Infrastructure from a BIND-Based Server to a Windows Server 2003-Based DNS at https://support.microsoft.com/default.aspx?scid=kb;en-us;323419 |
Use only BIND-based DNS servers |
Using BIND DNS Servers with Windows 2000 at https://research.microsoft.com/programs/up_content/bind.doc |
Use a combination of Windows Server 2003-based DNS servers and BIND-based DNS servers |
Using BIND DNS Servers with Windows 2000 at https://research.microsoft.com/programs/up_content/bind.doc |
DNS Configuration Issues for Windows Server 2003-based Security and Directory Solutions
This section highlights the specific configuration issues that are important to address when configuring DNS for the purpose of providing security and directory services using Windows Server 2003. These issues involve:
The use of SRV resource records. The DNS scenario that you choose must support SRV resource records. This is a mandatory requirement of Active Directory. The use of SRV resource records also simplifies the configuration of Kerberos clients.
Securing DNS servers. You must ensure that your DNS servers are physically and logically secure. Security issues with the DNS service will compromise your security and directory services.
Configuring secure dynamic updates. If you use DNS to dynamically update client resource records, you must ensure that the updates are transmitted securely; otherwise, your security and directory services will be compromised.
Limiting zone transfers to authorized systems. If you have configured DNS zone transfers, then you must ensure that the transfers are secured; otherwise, your security and directory services will be compromised.
Dynamic DNS. When choosing a DNS scenario, you should consider the benefits of choosing one that allows you to use Dynamic DNS securely. Dynamic DNS reduces the need for administrators to edit and maintain DNS configuration files manually.
To maximize the effectiveness of your directory and security solution, it is wise to make use of the load balancing facilities that are present in the Windows Server 2003 implementation of DNS. This is described in depth in the following section.
Configuring Windows Server 2003-based DNS to Use Round Robin for Load Balancing
Round robin is a load balancing mechanism used by DNS servers to share and distribute network resource loads. You can use it to rotate all Resource Record (RR) types contained in a query answer if multiple RRs are found.
By default, DNS uses round robin to rotate the order of RR data returned in query answers where multiple RRs of the same type exist for a queried DNS domain name. This feature provides a simple method for load balancing the client use of Web servers and other frequently queried computers with multiple IP addresses (multihomed computers).
If round robin is disabled for a DNS server, the order of the response for these queries is based on a static ordering of RRs in the answer list as they are stored in the zone (either its zone file or Active Directory).
Example: Round-Robin Rotation
A forward lookup-type query (for all record type A RRs that match a DNS domain name) is made for a multihomed computer (multihomed.example.microsoft.com) that has three IP addresses. Separate A RRs are used to map the host's name to each of these IP addresses in the zone. In the stored example.microsoft.com zone, the RRs appear in this fixed order:
multihomed IN A 10.0.0.1 multihomed IN A 10.0.0.2 multihomed IN A 10.0.0.3
The first DNS client that queries the server to resolve this host's name receives the list in default order. When a second client sends a subsequent query to resolve this name, the list is rotated as follows:
multihomed IN A 10.0.0.2 multihomed IN A 10.0.0.3 multihomed IN A 10.0.0.1
Restricting Round-Robin Rotation for Selected RR Types
By default, DNS will perform round-robin rotation for all RR types. You can specify that certain RR types should not be included in the round-robin rotation in the registry. A registry entry called DoNotRoundRobinTypes (REG_SZ) has a string value containing a list of RR types. By modifying this entry, you turn off round-robin rotation for specific RR types. For example, to prevent round-robin rotation for A, PTR, SRV, and NS record types, you would enter the following value for the registry entry:
a ptr srv ns
Restricting Round-Robin Rotation for All RR Types
The default setting for round-robin rotation is contained in the registry entry RoundRobin (REG_DWORD). By default, this entry's value is 1, which rotates all RR types except those listed in the DoNotRoundRobinTypes registry entry. If the value of RoundRobin is set to 0, then no RR types will be round-robin rotated.
Warning Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. You can also use the Last Known Good Configuration startup option if you encounter problems after manual changes have been applied.
Note
The string value for the DoNotRoundRobinTypes registry entry may contain types in numeric (as shown earlier) or mnemonic formats.
Both of the round-robin registry entries must be created and stored in the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\DNS\Parameters
Local subnet priority supersedes the use of round-robin rotation for multihomed names. When enabled, round robin continues to be a secondary method used to sort multiple RRs returned in a listed answer.
More information about configuring round-robin operation on Windows Server 2003 DNS can be found at https://technet2.microsoft.com/WindowsServer/f/?en/Library/e0f49958-f290-49fc-adb4-71ed8deefd621033.mspx.
Download
Get the Windows Security and Directory Services for UNIX Guide
Update Notifications
Sign up to learn about updates and new releases
Feedback