Review of Active Directory and DNS Integration

Review of Active Directory and DNS Integration

With the release of the Windows 2000 server products, Microsoft introduced a new directory service to replace the flat domain directory structure of Windows NT. Active Directory is a much more complex directory structure and is dependent on knowing the structure of the network to function properly. To achieve this, Microsoft tied many functions of Active Directory into DNS and other networking technologies. But without a functioning and reliable DNS system, Active Directory is effectively useless. So even in a single-server network like most SBS installations, a basic understanding of DNS and how it integrates with Active Directory is important.

What Is DNS?

DNS stands for Domain Name System (or Domain Name Service or Domain Name Server, depending on your source) and is a mechanism for translating network computer names into IP addresses. DNS is like a large electronic phone book that computers the world over use to find each other.

Actually, DNS was devised more for humans than computers. Most humans have an easier time remembering words and phrases than numbers. Because all computer communication actually takes place using numeric values, this is essential for us. How much easier it is to remember or than or Additionally, no one device knows all the names and addresses of all network devices connected to the Internet, but the structure of the DNS system takes care of that for us, too.

How DNS Works

When you open your web browser and type in, the Google search home page appears magically on your screen. But actually many steps have to take place before that happens. First, your computer looks in its internal name cache to see whether an IP address for has already been looked up. If it has, the computer uses the address from the cache and attempts to make the connection to the server sitting at that IP address. If there is no address in the local cache, DNS kicks in. The computer contacts the DNS server listed in the network properties for the connection and asks that server for the address for That DNS server then looks in its local cache to see whether it has looked up the address before. If it has, the DNS server sends the address back to the computer, and the computer commences contacting the web server. If the DNS server does not have the address either in its configuration or local cache, it turns to another server and asks for the address, and so the process goes until a DNS server that has the IP address for the name can be found.

How Active Directory Relies on DNS

When a Windows server runs the DNS service and participates in Active Directory, the DNS server stores more than just machine names and addresses. A large number of service (SRV) records can be stored in DNS to allow computers in an Active Directory environment to locate machines running specific services related to Active Directory. The DNS Management Console is the tool used to view and configure DNS settings on the server. To open the DNS Management Console, click on Start, Administrative Tools, DNS or type dnsmgmt.msc in a command prompt or after choosing Start, Run. Figure 5.1 shows the DNS Management Console display for the internal domain. In Figure 5.1, you can see the DNS host records (also known as A records) for the SBS server as well as several of the workstations that belong to the domain. In addition, there are other non-host records in this location that help the network do basic internal hostname lookups.

Figure 5.1. The DNS Management Console displays the hostname to IP address listings for computers on the internal network.

Best Practice: Creating DNS Aliases Instead of Host Records

As shown in Figure 5.1, the entry for the DNS name companyweb is not a host record (A record) but is an alias (CNAME) record. When a CNAME record is looked up in DNS, it returns another DNS name instead of an IP address. Then a lookup is done on this new DNS name, which, in the case of companyweb, returns the IP address of the SBS server's internal NIC.

If you need to create any new DNS records that point to existing servers or workstations, such as creating a DNS name for the server that is easier for users to remember, create the record as a CNAME instead of a host record. If you create the entry as an A record and you need to change the IP address of the server, you will have to remember to go back in DNS and change the address associated with the A record. If you create the record as a CNAME, when you change the IP address of the server, the CNAME record automatically picks up the new address of the server because it always points to the DNS name of the server and not the IP address.

To create a new CNAME record, follow these steps:


Right-click on the DNS forward lookup zone and select New Alias (CNAME).


Enter the name for the new host in the Alias Name field.


Enter the fully qualified domain name for the existing machine in the Fully Qualified Domain Name (FQDN) for Target Host field.


Click OK.

Figure 5.2 shows an expanded view of the _msdcs zone for the internal network. This is where the meat of network information for Active Directory is stored. The _msdcs zone is subdivided into four areas: dc for domain controller references; domains for core domain information; gc for global catalog references, and pdc for primary domain controller references. Although most humans would never need to know this information interactively, when a workstation attempts to authenticate against Active Directory or processes a user login on the domain, it uses DNS to look up these services to find where it needs to go to connect to, for instance, the appropriate Kerberos service.

Figure 5.2. The _msdcs lookup zone contains lookup addresses for key Active Directory components.

A more detailed explanation of Active Directory, DNS, and the integration of the two is beyond the scope of this book. In fact, many books have already been published on Active Directory alone. For our purposes with this book, this basic understanding of the integration of DNS and Active Directory provides a foundation to be able to handle most issues that may arise in an SBS installation related to DNS and AD.