Team Effort: Integrating Windows 2000 DNS with Unix DNS -- Redmondmag.com

Team Effort: Integrating Windows 2000 DNS with Unix DNS

Microsoft's new domain name service is enticing but requires significant planning, especially across platforms and operating systems. Perhaps the greatest challenge is interoperability with Unix DNS.

By Kevin Kocis
05/01/2000

As companies begin to integrate Microsoft’s new operating system with their current Windows NT environments, big obstacles will begin to surface for enterprise IT teams. One of those is the interoperability and integration of Windows 2000’s Active Directory into their directory service infrastructures. Active Directory is Microsoft’s directory services debut. One of the company’s goals for AD is to consolidate directory services through interoperation with other directories. My focus here will be on Windows 2000 and Unix Domain Name System (DNS) interoperability, which can provide a sturdy framework from which to begin to build your AD implementation.

DNS Interoperability

Great challenges and significant planning go into designing an effective directory service. Perhaps the greatest of these challenges in the enterprise is interoperability. Since most enterprises currently host DNS on Unix servers running BIND (which I’ll explore shortly), how do they integrate AD, which relies entirely on DNS, into this environment?

Since clients in a Win2K environment look up SRV resource records in the DNS server to locate their network’s AD and services, it’s important that Unix servers have recent BIND versions installed to perform these functions.

Some of the new DNS requirements of AD are:

Support of SRV records (RFC 2782).
Recommended support of dynamic updates (RFC 2136).
Recommended support of incremental zone transfer (IXFR) (RFC 1995).
BIND 8.2.2 or higher will support DNS extensions used by AD.

Win2K clients use DNS for name resolution and for locating domain controllers for logon. Down-level clients (Windows NT 4.0 and earlier and Windows 9x) rely on NetBIOS, which uses WINS, broadcast or LMHOSTS files. WINS is used for domain controller location. Since Win2K DNS is WINS-“aware,” a combination of DNS and WINS can be implemented in a mixed environment. NT 4.0 clients can register in Win2K WINS, and Win2K clients can register in NT 4.0 WINS.

In the Real World

In the real world, many companies running heterogeneous environments maintain DNS domains on Unix servers. There are a number of reasons for this. Most large companies—as well as the World Wide Web—initiated DNS domains on Unix servers. Microsoft didn’t enter the DNS arena until the release of NT 4.0 in 1996. Today, most of the Internet’s primary DNS servers run Unix BIND (Berkeley Internet Name Domain), which is shipped free with most Unix systems. BIND is well understood and stable. Due to shortcomings in Microsoft’s previous release of DNS, companies continue to maintain Unix-based implementations and third-party solutions.

Interoperability Issues

If you get anything out of this article, it should be this: It’s imperative that you coordinate and plan your AD and Unix DNS integration with your current DNS team. While AD may sound quite enticing to the Windows support team of a larger company, if you’re operating in a heterogeneous environment, the debate over directory services may turn into nothing short of a technology holy war.

Many large enterprises have been hosting their DNS domains on Unix servers for a long time. From their perspective, why change something that isn’t broken, especially for an unproven and proprietary Microsoft product? Windows DNS has raised the stakes by being fully compliant with Internet standards and by providing a wider spectrum of features than specified in the current RFC documents. Because of its advanced features, you need to be cautious when planning integration, particularly AD-integrated zones.

When integrating AD into an existing DNS infrastructure, your discussions should focus on whether the AD namespace will join, overlap, or trump your existing DNS namespace. If you’re in a larger company, chances are the AD service you’re designing will need to be integrated into existing DNS infrastructure. Let’s explore in greater detail the three options for integrating Win2K DNS into your current DNS:

Implement Microsoft DNS in AD and replace current DNS services.
Integrate your Unix DNS structure into the DNS required for Win2K.
Maintain your Unix DNS structure with Win2K.

Your choice will depend on a variety of variables, including your current DNS infrastructure and specifications, as well as the many pending political issues.

Understanding Microsoft DNS

The Domain Name System is a distributed and hierarchical database that provides scalability and hostname-to-IP address resolution. The hostname must be a fully qualified domain name (FQDN) or a domain name that resolves to a particular IP address. Windows 2000 uses DNS, rather than WINS, to integrate with the Internet. DNS is composed of domains, name servers, and zones. Top-level domains such as .edu, .com, and .org are subdivided and delegated to other organizations (microsoft.com, stanford.edu) to form subdomains. These subdomains are further split into zones (abc.microsoft.com, for example). A large company will contain many zones, which are maintained by local DNS servers and administrators.

Microsoft DNS features include many recent standards, including:

Secure dynamic updates.
Incremental zone transfer (IXFR), which allows only changes in the zone table to be replicated, thereby reducing network traffic.
Notification-driven zone transfers, which allow the master server to notify secondary servers of an update and prompt them for immediate replication.
Record aging.
Ability to load server configuration from Directory Service.

Some recent proprietary features include:

Unicode Character support (not particularly a much-requested feature, but noteworthy).
AD-integrated zones, which allow zones updated by a domain controller (DC) running DNS to be stored in AD. This is proprietary to Windows 2000 DNS.

There’s a significant advantage to storing your Microsoft DNS information in AD. In standard DNS, replication is single master, pulling updates to secondary servers. This leaves a single point of failure, and many companies implement primary and backup DNS servers. However, by implementing AD storage of DNS, replication is multi-master, since AD replicates between the domain controllers running DNS on your network. With AD storage of Microsoft DNS, there’s no need to manage a separate replication structure; transfers are secure (managed by trusts in AD); and there’s no single point of failure. You can also send standard zone transfers to other servers as necessary. With AD storage, DNS data is converted to an object model in which a DNS name becomes the object and the resource record set is the attribute.

Performance and manageability advantages can push you to seriously consider the integration of DNS with AD—with a few caveats. For one, only primary zones can be AD-integrated, so the DNS zone must be running Win2K, not BIND or NetWare NDS. Only domain controllers can host AD-integrated zones, although you can have read/write access from any client loaded with the DNS snap-in. Another is the manual process of importing current zone files into Win2K DNS. The only current method for doing this is to move the pre-created zone file in the systemroot\system32\dns folder and then indicate the use of that zone file when you set up the zone as primary. Then you can convert this zone to an AD-integrated zone.

—Kevin Kocis

Microsoft’s Choice

Option one (see Figure 1), implementing proprietary Microsoft DNS with AD, is Microsoft’s choice for obvious reasons. If your company is committed to redesigning your DNS infrastructure around Win2K AD, this should be your choice. If you have older Unix machines running older versions of BIND (such as 4.x) and feel the upgrade process isn’t worthwhile based on the enterprise shift to AD, consider this option. Migration from NT 4.0 DNS is relatively easy.

Figure 1. Option 1 for DNS integration involves: 1) bringing in Microsoft DNS as a secondary zone; 2) performing a zone transfer; 3) removing Unix DNS services; 4) last, optionally switching to AD integrated zones.

When migrating Unix DNS servers to the Win2K DNS, you should first introduce Win2K DNS servers as secondary servers. Configure a zone transfer from a master to a secondary Win2K DNS server and make sure there are no errors in the zone transfer process. You may receive errors if the Win2K DNS server can’t recognize records sent by the Unix DNS server during the zone transfer. You should either repair or remove the records from the zone in order for the zone transfer to complete successfully. You can also FTP the forward and reverse zone files from your Unix DNS server (db.xxx files located in etc/named.boot or etc/named.conf depending on the BIND version) to the C:\winnt\system32\dns directory on your Win2K DNS server.

After you’ve successfully completed this task, your secondary zones can be upgraded to DNS integrated zones. You should change the State of Authority (SOA) resource record to one of the AD-integrated DNS servers. Then you can terminate your Unix DNS servers (to avoid duplicate SOA records for the same zone) and remove them from the network.

As I mentioned earlier, Microsoft DNS meets and exceeds all Internet DNS server requirements. Microsoft DNS also supports Unicode and full DHCP integration and provides a friendly graphical interface. Standardization is a key to maintaining total cost of ownership and provides a focal point for support (in other words, a less diverse support environment). Another advantage is that conventional zone transfers become obsolete in the presence of AD’s multiple-master replication scheme.

The disadvantage will come in the form of integration. One issue is that AD-integrated zones must be stored on DCs in the same domain. If you need to cross domains, then you must create secondary zones at other DNS servers outside the domain.

Implementing Microsoft DNS in a Unix DNS environment will require additional efforts, including the transferring of resource records. It’s imperative that you work closely with your current DNS administrators regardless of which option you choose. Another caveat to integrating DNS in AD is that if the directory is unavailable—you guessed it—so is DNS. This is a catch-22, since DCs in other domains need DNS to find AD services; if DNS is unavailable, you may experience difficulty reaching the DCs to repair them. As with any DNS implementation, I recommend maintaining a conventional or standard secondary zone; in the event of an emergency, you can grab the necessary zone file and rebuild as necessary.

DNS Requests for Comment

A Request for Comment (RFC) is a draft of a work in progress that can become a standard. You can read a multitude of drafts relevant to Win2K DNS. For more information on these and other RFC and draft documents, visit www.ietf.org.

These standards are important because they affect how your current DNS infrastructure will integrate with Win2K DNS. Based on the current standards and specifications of your DNS environment (I'll assume you're running some Unix DNS domains somewhere in your enterprise), you'll have three integration options, as I discuss in the main article. Here's a short list of standards and proposed standards:

1034: Domain Names—Concepts and Facilities.
1035: Domain Names—Implementation and Specification.
1123: Requirements for Internet Hosts—Application and Support.
1886: DNS Extensions to Support IP Version 6.
1995: Incremental Zone Transfer in DNS.
1996: A Mechanism for Prompt DNS Notification of Zone Changes.
2782: A DNS RR for specifying the location of services (DNS SRV).
2136: Dynamic Updates in the Domain Name System (DNS UPDATE).
2137: Secure Domain Name System Dynamic Update.
2181: Clarifications to the DNS Specification.
2308: Negative Caching of DNS Queries (DNS NCACHE).

—Kevin Kocis

Integrate Current DNS Structure

Option two (see Figure 2) is to integrate your current DNS structure into the DNS required for Win2K. If your current DNS meets the recommended requirements for Win2K (RFC 2782, SRV records; RFC 2136, dynamic updates; and RFC 1995, incremental zone transfer) and you’ve tested dynamic updates, you can integrate it with Win2K AD. This includes BIND 8.2.2 and higher, as well as Novell’s NetWare 5.0. Remember that BIND 4.9.6 and 4.9.7 meet the minimum requirements. However, BIND 8.x supports dynamic updates, and I would strongly recommend updating to this version before integrating with AD.

Figure 2. In option 2, not an optimal approach, you implement Microsoft DNS as a corporate domain root and maintain Unix DNS as a subdomain. This isn't an optimal approach if you're running an AD-compatible version of BIND (version 8.2 or later).

Do note, however, that you would want to test this thoroughly to verify the impact on your current DNS, WINS, as well as DHCP integration. If your Unix servers are running an earlier version than BIND 8.2.2, I recommend updating to interact with the enhanced features of AD, at the time of this writing there are no migration or upgrade tools available. The different versions of BIND have separate directories and different file nomenclature, so you’re essentially involved in a not-so-glamorous copy and paste job.

Integrating your current DNS structure into Win2K DNS requires less administrative effort to implement than straight Win2K DNS. Your company can maintain current equipment and infrastructure. Unix and NT administrators can cohabitate. And you can focus on your Win2K implementation rather than fighting a DNS war.

There are some disadvantages, of course. Many Unix DNS servers are running BIND 4.x, and this may create a crossroads situation, upgrade or convert. Also an issue: the possible increase in future administrative overhead and manual data entry. There will also be a single point of failure for dynamic registrations.

BIND Developments

Originally developed by US Defense Advanced Research Projects Administration (DARPA). Versions through 4.8.3 maintained by the Computer Systems Research Group (CSRG) at UC Berkeley.
Kevin Dunlap, a Digital Equipment Corp. (DEC) employee worked on BIND from 1985 to 1987.
BIND 4.9 and 4.9.1 released by DEC. Paul Vixie, then a DEC employee, became BIND's primary caretaker.
BIND 4.9.2 was sponsored by Vixie Enterprises with Vixie acting as BIND's principal architect/programmer.
BIND 4.9.3 and later have been developed and maintained by the Internet Software Consortium with support from sponsors. No more development of
BIND 4 is planned.
BIND 4.9.6 supports SRV records (minimum requirements for Win2K DNS integration).
BIND 8 released May 1997. Bind 8.1.1 and 8.1.2 evolved from this version and supported dynamic updates (recommended for Win2K DNS integration).
BIND 8.2 released January 1999. BIND 8.2.x supported incremental zone transfers (also recommended for Win2K DNS integration).
BIND version 9 is major architectural revision in nearly all aspects of the underlying BIND architecture, necessitated by the expected demands of domain name system growth. Added security and scalability are key components of the new version. Beta 1 is currently available.

—Kevin Kocis

Enterprises currently running Unix DNS at the root level will challenge the “demotion” to a subdomain at Microsoft’s suggestion. Despite maintaining Unix equipment as a budget plus, the process of moving a stable, existing DNS infrastructure to a subdomain will not be viewed as a value-added component of integration. As a result, many organizations running later versions of BIND will elect option 3.

Don’t Fix What Isn’t Broken

Option three (see Figure 3) is to supplement your current DNS structure with Win2K. If your company hasn’t installed and maintained recent BIND versions on your root DNS servers and issues have been minimal, you may decide that there’s no reason to “fix something that’s not broken.” Your Unix administrators may feel that Microsoft’s entry into the directory services arena is a venture warranting caution. With this option, you avoid the replacement of your current DNS, as well as additional effort and political warfare.

Figure 3. Option 3, the approach most companies will take, involves implementing a new namespace from the root domain and setting Win2K DNS as the primary master for the new zone.

You can delegate a new Win2K DNS namespace from the existing DNS structure. When a DNS namespace is delegated from an existing DNS tree, the DNS server that owns the zone file for the newly delegated namespace becomes the primary master for that namespace. The DNS zone name should correspond to the AD root domain. This is recommended if you want the benefits of the Win2K DNS server. You can continue using the existing DNS server without delegating the AD namespace as long as current DNS servers support the SRV records and dynamic updates.

One advantage of this option is that your initial integration efforts will be minimized. Because your current DNS root is Unix-based (say, corp.com), you can configure a subdomain (such as Win2K.corp.com) and create a new zone strictly for your Win2K clients. Another advantage is that you reduce AD’s dependence on your current DNS and avoid any potential incompatibility problems. Again, any integration will demand significant testing and documentation.

A disadvantage to this option is that it requires a separate namespace for Win2K logons. This may increase administrative overhead in the long run, including managing dual DNS services. However, companies running DNS on BIND are familiar with distributed or “localized” DNS support, so hierarchical support of DNS as mentioned in this option is quite common already. As a result, many companies will likely choose this integration solution.

In a BIND

Berkeley Internet Name Domain is the most popular DNS implementation. BIND was written by Kevin Dunlap for the 4.3BSD Unix operating system as an implementation of DNS. Since its early release, BIND has been ported to most versions of Unix as well as NT. Currently, BIND is maintained by the Internet Software Consortium (www.isc.org).

The most recent version of BIND is 8.2.2 (with BIND 9 in beta at the writing of this article). However, its preceding versions (4.9.x) remain the most common. Newer Unix operating systems ship with newer versions of BIND. It’s important to note that since most DNS servers have been maintained for some time, many host companies haven’t completed an upgrade to 8.2.2 (though they should for its dynamic update security features and patches). This is a manual, time-consuming process, given the number of Unix DNS servers in many companies. It’s not impossible though.

The minimum DNS requirement for AD integration is support of SRV resource records. BIND 4.9.6 and later versions meet this requirement. However, I strongly recommend upgrading to at least 8.x to support dynamic updates. Note that BIND 8.2.2 supports integration with AD including dynamic updates, zone transfers, and updating SRV records.

The Dynamic Update Protocol (RFC 2136) allows hosts to register domain names and IP addresses with the name service, which in turn allows for automatic namespace updates and alleviates manual administrative updates—important if you’re using DHCP to assign dynamic IP addresses.

The Incremental Zone Transfer Protocol (RFC 1995) allows for incremental updates in the zone transfer process as opposed to transferring the entire zone file. This protocol alleviates bandwidth demands during zone transfers.

The Service Location Resource Record (RFC 2782) allows services to be to be published in DNS by specifying the location of the server(s) for a specific protocol and domain The SRV record is used to locate AD services such as LDAP at port 389. It doesn’t use round-robin as an A record query would.

To determine if your version of BIND supports dynamic record updates, use the nsupdate tool that ships with BIND. You can create a test domain and its zone file in your DNS server, then turn on dynamic updating using the nsupdate tool to perform manual dynamic updates.

—Kevin Kocis

The Windows Perspective

The simple truth for Unix advocates is that if you design your systems the Microsoft way—implementing only Microsoft DNS servers around your campus or enterprise supporting Win2K clients—it does work.

Unfortunately, the world of DNS isn’t so simple, and non-Microsoft clients may not welcome the new DNS with open arms. You don’t have to implement Microsoft DNS to implement AD, but you’ll miss out on many features of AD by not doing so.

Microsoft believes strongly that the following features of Win2K DNS make it a good choice for enterprises looking to implement a reliable hierarchical distributed network environment:

AD integration.
Incremental zone transfer.
Dynamic update and secure dynamic update.
Unicode character support.
Enhanced domain locator.
Enhanced caching resolver service.
Enhanced DNS manager.
Record scavenging.

Still, with all its new features, AD-integrated DNS remains to be implemented on any full production level. Therefore, it’s difficult to determine if security or support problems never considered will crop up. Remember, some of the Unix Internet DNS servers in your environment are currently stable and secure. Add to this the fact that many Unix mavens feel that Microsoft tends to “alter” existing technologies and preface them with their name (such as, Microsoft TCP/IP or Microsoft DNS) and you understand their concern. The goal of a standard is to have it apply to as many clients as possible, and Microsoft is forcing itself into cutting-edge territory with its latest release. This may prompt strong arguments from your DNS team. Just be ready.

There’s no doubt you’ll face many challenges in integrating AD and Win2K DNS into your existing DNS structure. Now that you have a better understanding of the pros and cons, you can decide which option will work best. Remember, by implementing later releases of BIND, you can provide a strong, functional DNS infrastructure to plan for your AD implementation.

Featured

Microsoft Kills 30-Day Data Retention Policy for Copilot in Fabric

Microsoft this week announced several usability improvements coming to Copilot in Fabric in preparation of its general availability release later this year.
Using Microsoft Office to Build a Network Diagram 2

Now that we've set up our process, let's dig in with the actual execution.
Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.
PowerShell Script Used in Phishing Attack May Be AI-Generated

A PowerShell script being used in a novel malware campaign may have been created by AI, according to security researchers at Proofpoint.