Professor Windows - January 2001
This is the second of a two-part series of columns on Windows 2000 DNS. The first column appeared last month. In this column, I will focus on integration of Active Directory services in your existing DNS hierarchy, planning for DNS servers, and some zone transfer issues.
Integrating AD in Existing DNS Hierarchy
When it comes to integrating Active Directory in your existing DNS hierarchy you need to decide whether the Active Directory namespace will overlap your DNS namespace or you will simply join your existing DNS namespace. Overlapping in this context means that you want an Active Directory domain (e.g. microsoft.com) integrated with a DNS domain of the same name (microsoft.com).
When there is an overlap, your existing DNS services will either be implemented on Windows NT 4.0 (in which case you should upgrade it to Windows 2000 DNS services) or on a non-Microsoft DNS server (in which case you should upgrade it to Windows 2000 DNS if the non-Microsoft DNS server doesn't support SRV records - and optionally dynamic updates). If non-Microsoft DNS servers in your existing environment cannot be upgraded to Windows 2000 DNS for whatever reason (e.g. hardware requirements can't be met) then you need to add an additional DNS server that does support SRV records (which are required for Active Directory implementation) and dynamic updates (which are not required but highly recommended) and delegate zones to this new server.
When there is no overlap and you plan to join your existing DNS namespace, you can delegate a Windows 2000 DNS namespace from your existing DNS namespace. In this scenario, the existing DNS server will become the primary master for the Active Directory namespace. Although not a requirement, the recommendation is that the zone name on your existing DNS server should correspond to the root domain of your Active Directory. This is not a requirement as I've pointed out. In fact, if your existing DNS server supports SRV records and dynamic updates then you don't really need to delegate Active Directory namespace.
You can successfully integrate Active Directory with non-Microsoft DNS servers (e.g. BIND 8.2.2). The domain controller will properly register all SRV records with the BIND server. However, I strongly recommend that you use Windows 2000's DNS server because it adds several additional features to the standard RFCs that are not necessarily found in non-Microsoft DNS servers. Features such as integration with WINS, dynamic registration of downlevel clients with the help of Windows 2000 DHCP server, and support for UTF-8 characters to name a few.
Planning for DNS servers
There are a number of things to consider when planning for DNS servers in your organization. Assuming that the hardware requirements are met, you need to decide how many DNS servers are required? Where will you place the primary and secondary zones? What will be the impact of replication traffic on the network? Would you be implementing DNS on non-Microsoft DNS servers as well? Will the DNS server be a domain controller or a member server? Will the zones be integrated in Active Directory? How many queries do you expect your DNS servers to receive? Answering these questions during the planning phase will help you in designing your DNS services.
Depending on the complexity of the routing in your environment, especially when you are dealing with zone transfers over slower links, you should consider placing cache-only DNS servers at remote locations. Even though Windows 2000 DNS supports incremental zone transfers and the resource records are cached on the DNS servers as well as the clients, in larger enterprises increased DNS traffic can have an impact on network performance. For example, if you shorten your DHCP leases, the DNS server will have to perform dynamic updates more frequently, which will generate more traffic.
For fault tolerance, consider configuring at least two DNS servers for each zone regardless of the size of the network – one as a primary and the other as a secondary server. Ideally, for each subnet you should have at least two Windows 2000 DNS servers that are domain controllers and configure them with Active Directory integrated zones and secure dynamic updates, as shown in Screen 1.
If your browser does not support inline frames, click here to view on a separate page.
There is a misconception that by default Windows 2000 DNS server is configured for dynamic updates. This is not true. Here's the gotcha! By default Active Directory integrated zones are configured for dynamic updates, but default standard zones are not. Because by default only the Active Directory integrated zones are configured for dynamic updates, you need to manually configure your standard zones for dynamic updates.
One of the best measures you can take to improve DNS server's performance is to add additional memory. When you start DNS service, all the zones are loaded into RAM. This means that adding additional RAM will improve performance when you have a large number of zones and when the clients' records are dynamically updated on more frequent bases.
The Windows 2000 Help file states that for each resource record added to the DNS server, an estimated 100 bytes of memory is consumed. Adding the 4 MB of RAM that is consumed when the DNS server is started, you can use these numbers as a guideline when capacity planning your DNS servers. For example, if a DNS server contains four zones, each with 2,600 resource records, the server will require approximately 5 MB of RAM – 4 MB for starting the services and 1 MB for the resources records (10,400 x 100 bytes = 1,016 KB, or approximately 1 MB). Please keep in mind that these numbers should be used only as a guideline, your mileage may vary depending on several factors: your server configuration, number of zones, the type of resource records, etc.
The DNS development and testing team at Microsoft performed certain tests (documented in the Windows 2000 Help file http://windows.microsoft.com/windows2000/en/server/help/
) that you will find useful in capacity planning your DNS servers. The tests performed on a 400 MHz dual-Pentium II server with 256 MB of RAM and 4 GB of hard disk space revealed that the server was able to handle 900 queries/sec and 100 dynamic updates/sec with the processor utilization of 30 percent. The DNS server was a dedicated server with no additional services running on that machine. Again, your mileage may vary so use these numbers only as a guideline.
Here are some other issues that you should consider in large networks. Performance of an Active Directory zone will be slightly lower compared to a standard primary zone because the DNS server will have to write to the Active Directory database instead of a simple text file. Furthermore, if you configure the Active Directory integrated zone for secure dynamic updates, the rate of dynamic update may suffer even more. For small to medium size organizations, the impact may not be significant, but in larger organizations you should monitor your server performance to obtain numbers that more accurately reflect your own environment. Do a search on "DNS server performance counters" in Windows 2000 Help to see a detailed listing of performance counters that you can monitor.
Zone Transfer Issues
By default, Windows 2000 DNS servers use a fast transfer method and compress data when zone transfers take place between Windows 2000 DNS servers. Non-Microsoft servers (e.g. BIND 4.9.4 or earlier) may not support fast transfers. Therefore, you should ensure that Windows 2000 DNS server is properly configured to operate with these non-Microsoft servers. To configure the zone transfer mode so it won't use fast transfers, enable the Bind Secondaries option, as shown in Screen 2. The default option has BIND secondaries enabled (i.e. the selection box is checked). Windows 2000 DNS Help and Microsoft's white paper on DNS (http://www.microsoft.com/windows2000/library/howitworks/communications/nameadrmgmt/w2kdns.asp
) incorrectly states that by default BIND secondaries option is disabled.
If your browser does not support inline frames, click here to view on a separate page.
Windows 2000 supports both full zone transfers (AXFR), where the entire zone file is transferred to a secondary DNS server, as well as incremental zone transfers (IXFR), where only the modified records are transferred. In last month's column http://www.microsoft.com/technet/community/columns/profwin/pw1200.mspx
(Part 1 of this two-part series), I discussed primary, secondary and Active Directory integrated zones. Unlike standard primary zones, Active Directory integrated zones allow you to modify the DNS database on any domain controller. One problem that you may encounter is when various master name servers apply zone changes in different order. For example, lets say domain controller Mars is master for domain controller Jupiter and provides incremental zone transfers. If Mars becomes unavailable and Jupiter ends up requesting an IXFR from another server, the changes will be applied in a different order and the integrity of the database on Jupiter will be questionable. In that situation Jupiter will request an AXFR from the master server.
This concludes this two-part series column on DNS planning. Hopefully, the information in these two columns helps you implement DNS successfully on your network and assist you in preparing for your Active Directory installation. When it comes to Active Directory and DNS, there are too many variables and my best advice to you is to cover all your bases and make sure DNS is working like a charm before you install Active Directory.
For any questions or feedback, please write to Microsoft TechNet at mailto: firstname.lastname@example.org