maandag 29 oktober 2007 5:35
Windows Server 2008 & Domain Name Service: What's New
DNS provides the name resolution services required by Active Directory. The DNS server in Windows Server 2008 complies with the set of Requests for Comments (RFCs) that define and standardize the DNS protocol.
Because the DNS Server service is RFC compliant and it can use standard DNS data file and resource record formats, it can work successfully with most other DNS server implementations, such as DNS implementations that use the Berkeley Internet Name Domain (BIND) software.
The DNS Server service in Windows Server 2008 includes some new and enhanced features described below.
1. Background zone loading
A DNS server running Windows Server 2008 now loads zone data stored in AD DS in the background while it (re)starts, so that it can respond immediately to requests for data from other zones. Because the task of loading zones is performed by separate threads, the DNS server is able to respond to queries while zone loading is in progress. Let's have a look at the startup sequence:
- The DNS server starts, it first enumerates all zones to be loaded.
- It loads root hints from files or AD DS storage.
- All file-based zones (stored in files rather than in AD DS-integrated) are loaded.
- The DNS server begins responding to queries and remote procedure calls (RPCs).
- All AD DS-based zones are loaded afterwards, by one or more threads spawned.
Because the task of loading zones is performed by separate threads, the DNS server is able to respond to queries while zone loading is in progress.
2. GlobalNames Zone
This new feature provides single-label name resolution for large enterprise networks that do not deploy Windows Internet Name Service (WINS) and where using DNS name suffixes to provide single-label name resolution is not practical.
When the GlobalNames zone is deployed, single-label name resolution by clients works as follows:
- The client's primary DNS suffix is appended to the single-label name and the query is submitted to the DNS server.
- If that FQDN does not resolve, the client requests resolution using its DNS suffix search lists .
- If none of those names resolve, the client requests resolution using the single-label name.
- If the single-label name appears in the GlobalNames zone, the DNS server hosting the zone resolves the name. Otherwise, the query fails over to WINS.
The GlobalNames zone provides single-label name resolution only when all authoritative DNS servers are running Windows Server 2008. No changes to client software are required to enable single-label name with this feature.
How to setup GlobalNamesZones (GNZ) in 3 steps:
- To get GNZ functionality for a given domain or forest, all authoritative DNS servers must be running Windows Server 2008.
- Create an Active Directory integrated zone called GlobalNamesZone.
Don't forget to choose the appropriate storage method and replication scope for this zone.
Recommendation: Create the new "GlobalNames" zone as AD DS‑integrated zone, stored in the forest-wide DNS application partition (replicating to all domain controllers that are DNS servers in the forest).
dnscmd ServerName /ZoneAdd GlobalNames /DsPrimary /DP /forest
- Enable the GlobalNames Zone functionality on the DNS Server.
Ensure that the GlobalNamesSupport registry setting has been enabled on all DNS servers, using dnscmd as follows:
dnscmd ServerName /config /EnableGlobalnamesSupport 1
For more information: DNS Server GlobalNames Zone Deployment white paper
WINS is still often used as a secondary name-resolution protocol alongside DNS. WINS is an older protocol, and it uses NetBIOS over TCP/IP (NetBT), therefore, it is approaching obsolescence. But how do you actually know if you are still using the WINS servers? Well, have a look at Performance Monitor by using the WINS counter "Queries/second".
3. Support for IPv6 zones
DNS servers running Windows Server 2008 now support IPv6 addresses (AAAA records - 128 bit = 4x32) as fully as they support IPv4 addresses (A records - 32 bit - 1x32). DHCP clients can also register IPv6 addresses in addition to IPv4 addresses.
In the DNS snap-in, wherever an IP address is typed or displayed, the address can display as an IPv4 address or an IPv6 address.
The dnscmd command-line tool also accepts addresses in either format.
DNS servers can now send recursive queries to IPv6-only servers and the server forwarder list can contain both IPv4 and IPv6 addresses.
DNS servers now support the ip6.arpa domain namespace for reverse lookup mapping.
4. Read Only Domain Controller (RODC) support
To support RODCs, a DNS server running Windows Server 2008 supports a new type of zone, the "primary read-only zone". When a computer becomes an RODC, it replicates a full read-only copy of all application directory partitions that DNS uses, including the domain partition, ForestDNSZones and DomainDNSZones. This ensures that the DNS server running on the RODC has a full read-only copy of any DNS zones stored on a centrally located domain controller in those directory partitions.
The administrator of an RODC can view the contents of a primary read-only zone. However, the contents of the zone can only be changed on the centrally located writable Windows Server 2008-based domain controller and replicated back to all RODCs.
4. DNS client DC Locator mechanism
A DNS client computer running Windows Vista or Windows Server 2008 periodically searches for a domain controller in the domain to which it belongs. This functionality helps avoid performance problems that might occur when a DNS client locates its domain controller during a period of network failure, associating the client with a domain controller located on a slow link.
Previously, this association continued until the client was forced to locate a new domain controller, for example, when the client computer was disconnected from the network for a long period of time. By periodically renewing its association with a domain controller, a DNS client can now reduce the probability that it will be associated with an inappropriate domain controller.
The rediscovery interval can be configured via Group Policies under
Computer Configuration\Administrative templates\System\Netlogon\DC Locator DNS Records\Force Rediscovery Interval
Next Closest Site/DC
A DNS client computer running Windows Vista or Windows Server 2008 can be configured to locate the nearest domain controller - using the defined Active Directory sitelink costs - instead of searching randomly. This functionality can improve network performance in networks containing domains that exist across slow links. However, because locating the nearest domain controller can itself have a negative impact on network performance, this functionality is not enabled by default.
The nearest domain controller discovery can be configured via Group Policies under
Computer Configuration\Administrative templates\System\Netlogon\DC Locator DNS Records\Try Next Closest Site
Related reading: Jorge's Quest for Knowledge (MVP Directory Services)
For more information: Windows Server 2008 TechCenter
Filed under: WindowsServer2008, GroupPolicies, DNS