If Active Directory is deployed in an existing network which already uses DNS service, an interoperation problem may arise if the legacy DNS service does not conform to Windows 2000/.NET DNS requirements. This is a neither rare, nor hopeless situation; there is a way to achieve a compromise. We shall use the adjective legacy for any DNS servers that support neither dynamic records update, nor SRV records (this can be, for example, an NT 4.0 DNS Server or a UNIX DNS server). In addition, the configuration shown below can serve as an example of heterogeneous DNS service deployment and DNS zone delegation (which may be helpful in various cases).
You can easily diagnose the problem by looking up the System log after creating the first domain controller. (It is strongly recommended that you check all logs when each DC is created!) After the domain controller boots, the warning (ID 5773) from Netlogon may appear in the System log; Windows .NET systems provide a clear issue explication:
The following DNS server that is authoritative for the DNS domin controller locator records of this domain controller does not support dynamic DNS updates: DNS server IP address: 192.168.1.155 Returned Response Code (RCODE): 4 Returned Status Code: 9004 USER ACTION Configure the DNS server to allow dynamic DNS updates or manually add the DNS records from the file '%SystemRoot%\System32\Config\Netlogon.dns' to the DNS database.
Let us take a specific scenario and discuss in detail how to solve the problem. To simplify the situation, we will use a minimal number of computers.
Suppose we have an existing Windows NT 4.0 DNS server authoritative for the net.dom domain. The server stores the forward and reverse zones: net.dom and 1.168.192.in-addr.arpa. All domain controllers and clients (including Windows 2000/XP/.NET computers) have to use this server as preferred.
Remember that reverse zones are not necessary for Active Directory, but rather provide a fully operational DNS configuration.
The second DNS server (based on a Windows 2000 or Windows .NET server) has to be configured to support all updateable resource records for an Active Directory domain. Computer names and addresses are shown in the table below:
Computer's name and role
NT4SRV5 (NT 4.0 DNS server)
NETDC1 (Windows .NET DNS server)
NETDC4 (Windows .NET domain controller)
By default, the dynamic registration of a host's name and address on the preferred DNS server is enabled; so, in our scenario we need to disable registration on all Windows 2000/XP/.NET computers to avoid error messages in the computers' System logs. To do this, reset the Register this connection's addresses in DNS flag on the DNS tab in the Advanced TCP/IP Setting window. Then, you have to manually create a host record (type A) for each domain controller and computer on the preferred server.
On the Windows .NET DNS server, we need to create four dynamic authoritative zones necessary for domain functioning. These zones will answer the DNS queries for specific IP addresses that could not be resolved by the preferred server. In our scenario, all these zones' names have the net.dom suffix. (In general, these zones can be either standard or Active Directory-integrated.)
The zones created will be the following:
Furthermore, we also have to allow dynamic updates of these zones. Fig. 4.6 illustrates the result obtained in this preliminary step. Notice that each zone has SOA and NS records. This means that the server that supports such a record can resolve DNS queries stored in that zone.
Fig. 4.6: Creating dynamically updatable authoritative zones on a Windows .NET DNS server
It is now necessary to create the dynamic zone names in the domain authoritative zone and delegate them to the Windows .NET DNS server, where the zones will be stored and updated. All zone names are created as domains within the main authoritative zone net.dom. (The procedure described below will also help you to create a zone on any type of DNS server and delegate the zone to another DNS server.) The following operations have to be carried out:
Right click the main zone name and select the New Domain command from the context menu. Create four necessary domains.
Right click a created domain (e.g., _msdcs.net.dom) and select the New Record command the context menu. Then you must select the NS Record type and specify the DNS name of the server that stores the authoritative zone with the same name. Repeat this step for each created domain.
The result that should be obtained is illustrated in Fig. 4.7. (A Windows NT 4.0 Server SP6a was used.) All DNS queries for records that belong to the zones shown will be addressed to the DNS server NETDC1 (that is authoritative to resolve these queries).
Fig. 4.7: Authoritative DNS server for domain net.dom and the zones delegated to the dynamic DNS server NETDC1
In addition, we need to register the following records on the Windows NT 4.0 DNS server in the domain authoritative zone:
Two type A (host) records (with corresponding PTR records) for the Windows .NET computers: NETDC1 and NETDC4. (Such records will be necessary for each domain computer.)
A type A (host) record for the net.dom name (this record is needed for finding a domain controller using a simple name lookup). To create such a record, select a usual A Record, leave out its name, and specify the IP address of a domain controller (NETDC4). (This record must be created for each domain controller in the net.dom domain.)
The latter type A record requires additional attention. By design, this record is dynamically updatable. The domain controllers' Netlogon service re-registers it after each system boot. In our case, an update is impossible, so an error message will be periodically generated in the System log. You may get rid of the problem by adding the RegisterDNSARecords DWORD value (set the value to 0x0) to the registry subkey HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters.
If you disable registration of A records using the RegisterDNSARecords subkey equal to 0, two records will be deleted from the netlogon.dns file on the domain controller NETDC4:
net.dom. IN A 192.168.1.4
gc._msdcs.net.dom. IN A 192.168.1.4
If a domain controller stores an application partition, a corresponding A record will also be deleted, for example:
ForestDnsZones.net.dom. 600 IN A 192.168.1.4
The RegisterDNSARecords value (being set to 0x0) also prevents the Netlogon service from updating the host (type A) record for the gc._msdcs.net.dom name. You must manually add this record, and re-register it if a Global Catalog server's location is changed.
Thus, we have covered the preliminary steps and now the domain controller NETDC4 is able to update (or first to create) all necessary SRV records. You need to restart the Netlogon service or, preferably, reboot the system. (You can also use the nltest /DSREGDNS command.) After this, you will get all updatable records on the Windows .NET DNS server (NETDC1) (Fig. 4.8).
Fig. 4.8: The name structure of all needed SRV records, shown on a dynamic DNS server
Now you can (and should) check all DNS logs and test the domain controller to be sure that all records have been registered correctly.