The Domain Name System (DNS) resolves the host names of network computers and services to their respective IP addresses. DNS is one of the core services used by Windows 2000 Active Directory directory services. In this lesson, you'll analyze the existing Windows NT DNS services and use those as a basis for planning your migration to Windows 2000.
After this lesson, you will be able to
Estimated lesson time: 35 minutes
The Domain Name System (DNS) allows a DNS namespace to be divided into zones which store information about one or more DNS domains. For each DNS domain name included in a zone, the zone becomes the authoritative source for information about that domain. DNS is one of the core components of Windows 2000. If a DNS server is unable to resolve an address (in other words, find an IP address that matches a supplied domain name), it will forward the request to the DNS server of the parent zone for that address. On the Internet, the ultimate parent zone is the "." zone that sits above the familiar zone which includes secondary names such as .com, .org, and .uk. Naming requests are passed down the hierarchy to the DNS server that's responsible for that zone; that DNS server can then return the IP address to enable network communications.
Your organization will probably already have a naming regime in force, and this might involve systems such as UNIX servers that aren't running Windows NT. To support Active Directory in a heterogeneous environment, any 3rd party DNS system must support the following:
NOTE
An RFC (Request for Comments) is an official document of the Internet Engineering Task Force (IETF) that specifies the details of new Internet specifications or protocols. To read more about an RFC, open your Web browser and use an Internet search engine to search for the RFC number; in this case, you would search for "RFC 2136."
The Windows 2000 Server DNS service meets these standards and has the additional benefit that it integrates the DNS zone storage into Active Directory. This means that it can perform zone replication without needing a DNS replication topology. It has the further advantage that it implements security on the DNS data.
When setting policy for the upgrade of this aspect of the network, consider the issues described in the following sections.
If the DNS servers become unavailable or there is contention over parts of the namespace, all TCP/IP users will be seriously affected. You must set a migration goal that DNS service be maintained at all times. You can configure multiple DNS servers for clients (so that a client will automatically connect to another server if the primary one isn't found). You can also have primary and secondary DNS servers in a given domain, which provides redundancy. Windows 2000 can function as a primary or a secondary DNS server.
Maintaining the DNS service and migrating it to Windows 2000 is potentially the most difficult political task in the migration project. Windows 2000 Active Directory depends on DNS to provide clients with information about the location of the various network resources such as servers that use the Kerberos authentication protocol. Kerberos authentication protocol was originally developed at MIT as a method of authenticating the identity of users attempting to log on to the network, and the Kerberos v5 authentication protocol is the default authentication service for Windows 2000. If your company has a UNIX team that provides your DNS service, they need to be involved in the migration project from the beginning. The Windows 2000 DNS service is substantially different from many other DNS services in the following ways:
To realize the maximum benefits of Active Directory, you should migrate the DNS servers to Windows 2000. If they run on a different operating system such as UNIX, you should carefully design the migration process with a period of parallel running and planned rollback options.
IMPORTANT
Although Windows 2000 will work with other DNS systems that conform to the guidelines already mentioned, in practice you'll be better off migrating completely to Windows 2000 DNS.
Another option is to run the Windows 2000 systems as secondary DNS servers and phase the migration of records to them. This will allow you to ensure that service can be maintained under the given network load.
TIP
You should split the servers performing Kerberos protocol authentication from those running DNS services. Under heavy loading conditions, for example, at the start of the work day when machines are switched on and users are logging on, large numbers of authentication and lookup requests will be generated.
Assuming your current DNS services are hosted on Windows NT, the information required to help plan the migration to Windows 2000 includes the following:
Bear in mind the following when planning the DNS migration:
NOTE
Windows 2000 DNS can't be managed by the Windows NT DNS Manager and vice versa—the Windows NT DNS can't be managed by the Windows 2000 DNS manager.
Your Windows NT primary domain controller will also be your DNS server in this practice. When you upgrade this domain to Windows 2000, you'll be able to see the effect of upgrading a Windows NT server that also supports DNS. Therefore, you must install Windows NT DNS on this server.
To install DNS on the primary domain controller, MIGKIT1
The Select Network Service dialog box appears.
The necessary files will be copied from the CD-ROM, and then Microsoft DNS Server will appear in the Services list.
Now you must configure DNS on MIGKIT1. This machine will be configured with one zone containing only this machine.
To configure the DNS server
The IP address will appear in the server list, with a page of statistics in the right pane.
The Creating New Zone dialog box will appear.
Figure 4.9 Creating New Zone dialog box with zone information filled in
The zone should be created and appear underneath 192.168.0.100 in the left pane of DNS Manager, as shown in Figure 4.10.
Figure 4.10 Zone as it appears in DNS Manager
Before you add any further records, you'll create a reverse lookup zone. The reverse lookup zone enables the DNS server to supply the fully qualified domain name (FQDN) from the IP address; in other words, the reverse of the DNS server's typical function.
To create a reverse lookup zone
The Create New Zone dialog box appears.
The Zone File box will be filled in automatically.
The Reverse Lookup zone will be created and will appear in the left pane's server list.
Finally, you need to add an entry for the DNS host, your primary domain controller.
To add a domain host
Figure 4.11 New Host dialog box
The host name is added to DNS Manager, as shown in Figure 4.12.
Now you'll enter the IP address of the DNS host computer in the TCP/IP Properties dialog box.
Figure 4.12 DNS Manager with new host added
To enter the DNS host server information
If everything is set up correctly, the name should resolve to 192.168.0.100 and return a successful response (four lines of replies).
notepad migkit.microsoft.com.dns notepad 0.168.192.in-addr.arpa.dns
You'll see the host name-to-IP address configurations and the reverse lookup information. These files are known as BIND files and are useful in assessing the clients registered by Windows NT DNS.
You will now remove the DNS service to see what happens when DNS is not available when upgrading to Windows 2000. You will perform this upgrade in Chapter 6, "Performing an Upgrade."
When assessing your DNS servers, make copies of all the DNS files on each server. These files will help with the migration and serve as documentation of your system.
In this lesson, you learned how DNS is central to creating Windows 2000 Active Directory directory services. You learned how to install and configure DNS on Windows NT Server, and you also learned how to assess your DNS servers by looking at their BIND files. You learned that these files can be useful backups for a DNS rollback and for use in migrating to a new Windows 2000 DNS service.