By Andrej Budja
As you know, Microsoft has made a lot of changes to its premier operating system. One of the most drastic changes is the new directory service called Active Directory (AD), which stores all information about users, computers, printers, and other resources on the network. The upside to this change is that the new directory is more scalable than previous versions. The downside is that it creates another learning curve for network administrators.
AD and DNS
One of the big differences in this new AD service is that it requires the use of the Domain Naming System (DNS). We all know DNS. We use it every day when sending mail, reading Web pages, or chatting with other people over the Internet. Maybe we don’t directly interact with it, but everything we do on the Internet goes “through” DNS.
Interestingly enough, DNS is not required on Windows NT 4 networks because Windows NT and other older Microsoft operating systems still use NetBIOS. However, for a Windows 2000 installation, you can’t choose between NetBIOS and DNS. NetBIOS is supported only for compatibility with lower-level clients (Windows NT 4, Windows 9x, and so on.). Also, you cannot successfully run AD without DNS in place. If you’re starting to worry about this change, relax—this is a great move by Microsoft because we can finally get rid of some old NetBIOS problems.
AD integrated zones
Windows 2000 DNS service goes by the book and implements most of the features as defined in recent Requests For Comments (RFCs). The only proprietary solution in Microsoft’s DNS is the AD integrated zones. DNS servers normally hold their database resource records (zone files) in plain-text files. In Windows 2000, any domain controller running DNS can update zone files. Additionally, Microsoft decided to provide an option to hold the zone information in AD.
The biggest advantage of implementing zones in AD is that there is no single point of failure. In DNS, only one server is the primary server that holds the write copy of the zone. All other servers are secondary for that zone and can only read (not write) from it. All changes must happen on the server that holds the primary zone. Problems can occur when this server goes offline. When this happens, you can’t update the zones unless you promote another server to be primary. This is similar to the Primary Domain Controller (PDC)-Backup Domain Controller (BDC) relation in Windows NT 4. But when you implement AD integrated zones, all servers can make changes to it. If one server goes down, users won’t even notice. This feature is important because Windows 2000 DNS supports clients that can dynamically update their records in the DNS. By not having a single point of failure, we can minimize error messages, resolutions problems, and help desk calls.
Another advantage of this feature is replication. Because zones are in AD, changes are replicated through AD. This mechanism is much more efficient than ordinary DNS replication. Normally, when changes on the master server occur, secondary servers will get the whole zone. For example, if you have a large zone, and you add only one new record, the whole zone will be transferred to secondary servers. This can cause a lot of traffic. To overcome this problem, a lot of DNS servers implement IXFR or incremental zone transfers as defined in RFC 1995. This allows servers to transfer only changes and not the whole zone. Microsoft DNS service in Windows 2000 supports IXFR.
Because Windows 2000 DNS service supports dynamic updates, malicious users can potentially add records and create big problems on the network. Fortunately, with AD integrated zones, you can define the users who are allowed to update DNS records.
Although AD integrated zones have a lot of advantages, we also have to consider some of the disadvantages. One of them is performance. Because all records are in AD, the resolution process is a bit slower. I haven‘t performed any scientific tests, but Microsoft determined that where AD integrated zones are used, the rate of dynamic updates that can be processed decreases by a factor of 2. If you additionally implement secured dynamic updates, the update rate decreases by another 25 percent.
Also on my list of disadvantages is the AD replication process. While this process is very efficient, DNS zones are stored in the domain naming context. This means that the records can be replicated only between domain controllers in the same domain. If you want to replicate zone data to a DNS server in some other AD domain, that server will have to use standard zones (in text files) and old DNS transfer methods.
Despite those disadvantages, you can gain a lot by implementing AD integrated zones. AD is a big change, but a good step forward, and implementing AD integrated zones will offer better scalability for future network growth. Of course, if you’re not comfortable with DNS from Microsoft, you can still use standard DNS servers. Just make sure you know what you will be giving up.
Andrej Budja, MCSE+I, MS MVP, has been around computers since the dark ages of DOS. He likes to learn new technologies and is known as a guy who’s always ready to help. He does this every day in the Microsoft Windows 2000 newsgroups.
If you’d like to share your opinion, post a comment in the Discussions section below or send the editor an e-mail.