For Geeks @nd the not so Geeky

Active Directory DNS

Active Directory DNS Records

When a computer that is part of a domain using Active Directory integrated DNS boots up it queries the Service Record ( SRV) from a Domain Name System ( DNS) server to locate the nearest domain controller. DNS basically enables the translation of IP addresses into Fully Qualified Domain Names (FQDNs).

So instead of contacting a host through its IP address you can just type in a name like somesite.com which is a lot easier to remember for humans than let’s say 158.56.23.45 which of course is an IP address. DNS Active Directory

DNS plays a major role in Active Directory and can be used to run independently on a perimeter network.

All DNS communication – whether it be on your internal network or the Internet – always uses UDP port 53.

The root of the DNS hierarchy is the dot (.) after which you have the .com, .biz, .net, .info and other suffixes.

Active Directory Domain Name Resolution

Active Directory heavily relies on DNS to match IP addresses to names. DNS therefore provides host records contained in zones specifying a given name resolution for a specific namespace.

DNS and Active Directory – IPv6 Addresses

IPv6 addresses are made up of 128 bits which gives us a lot more addresses than the 32-bit IP4 range that has almost been depleted or used up globally. IPv6 uses 8 16-bit pieces in a hexadecimal format. This should enable us to support addressing on the Internet for a long time.

•    Link-Local – FE80:: – Similar to IPv4 APIPA addresses that get allocated when no DHCP server can be contacted
•    Site-Local – FEC0:: –  Equivalent to IPv4 internal addresses such as 10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16
•    Loopback – ::1 – Similar to 127.0.0.1 in IPv4
•    Unspecified – :: – Comparable to 0.0.0.0 in IPv4 and thus indicating an absence of address
•    Global Unicast – Unique addresses that are routable on the Internet

Active Directory DNS Setup – Peer Name Resolution Protocol (PNRP)

The Peer Name Resolution Protocol (PNRP) relies on peer systems to resolve computer names in Windows 7 and Server 2008 R2. This means, that unlike DNS there is no hierarchical structure as each server or computer holds a record for the name to be resolved. The computer just contacts all other computers or servers until it gets an authorative answer thereby greatly improving the security risk of a single-point DNS server failing.

DNS in Active Directory – Global Names Zone (GNZ)

Replaces WINS but must be configured manually and is only suitable when you have a small number of clients to handle. Useful for older applications that cannot work with the more complex FQDN structure. If a multitude of applications or users require single-name resolution then WINS will have to be implemented.

Active Directory DNS Structures

•    Dynamic DNS servers – Default mode when running DCpromo or when installing an AD integrated DNS server. DDNS enables computers and devices to self-register in Active Directory as long as these devices or computers belong to a known entity within AD Active Directory DNS best practices

•    Read-Write DNS Servers – Usually a primary DNS server that is deployed in perimeter networks and will accept writes from trusted sources

•    Read-Only DNS Servers – Primarily secondary DNS servers that hold a read-only copy of the primary DNS server.

In Windows 2008 we also have the read-only domain controller (RODC) which runs primary read-only zones when integrated in AD DS.

Remember that RODCs provide a copy of the primary zone whereas traditionally  read-only zones are secondary  zones

•    Stub Zones – Contains pointers to other DNS servers

Active Directory DNS Namespaces

It is considered best practices to use different extensions for your internal and external network such as .com for external and maybe .local for you internal network. The segregation of your internal network from the Internet is commonly called Splt-Brain DNS.
For more information on split-brain DNS setups, go to
http://technet.microsoft.com/en-us/library/ee382323(WS.10).aspx

Active Directory DNS Delegation

When you create a domain tree in an existing forest you have to manually configure delegation before the root tree is created. This is because the name of the domain tree is different from the forest root domain. If however you create a child domain in the same forest this process is automated for the same reasons.

Active Directory DNS – Windows Server 2008 R2

DNS Security Extensions

DNS Security Extensions (DNSSEC) provides additional security to spoofing, man-in-the-middle and cache poisoning attacks It uses digitally signed signatures to send its records. To enable DNSSES you will need to edit the registry.
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7a005a14-f740-4689-8c43-9952b5c3d36f&displaylang=en

Active Directory DNS Cache Locking

DNS Cache Locking prevents malicious users to poison the DNS cache in order to redirect queries to their servers. In Windows Server 2008 the cache cannot be overwritten until its TTL has expired. TTL  Settings can be changed by running the command dnscmd /Config /CacheLockingPercent percentvalue

Active Directory DNS Socket Pool

When DNS Socket Pools are in use with Windows Server 2008 random ports get picked to perform DNS queries. This protects against attackers and randomizes the ports used. Socket Pools can be configured by editing the registry.

Active Directory DNS Devolution

For more information on devolution behaviour in Windows Server 2008 R2 and Windows 7,
go to http://technet.microsoft.com/en-us/library/ee683928%28WS.10%29.aspx

Active Directory Without DNS – Background Zone Loading

Whenever an AD DS integrated DNS server holds a large number of zones and records, it needs to load all that data before servicing requests. Background loading enables the server to start processing requests while loading its zone data.

Leave a Response