DNS, which is responsible for resolving domain names to IP addresses, isn’t just the name resolution system that underpins the global Internet—it’s also a critical component in Windows Active Directory (AD) for locating network resources. But despite the ubiquitous nature of DNS in Windows networking over the past decade as a replacement for Microsoft’s proprietary WINS, DNS is a complex hierarchical system that many junior administrators find difficult to grasp.
In this article, we’ll look beyond a single-forest/single-domain AD structure, where DNS configuration is relatively straightforward, and investigate how DNS works in a more complex AD design. Along the way, we’ll introduce some of the new DNS concepts in Windows Server 2008 R2.
Active Directory and DNS Integration
To help us understand how DNS integrates with AD, let’s configure an AD structure that’s commonly deployed in midsized and large organizations. We’ll create a single forest with two domains, as Figure 1 shows. The first domain will be what’s often referred to as an empty root, or just root, domain. An empty root domain sits at the top of the AD hierarchy and, as its name suggests, doesn’t contain any resources. This type of domain gives organizations more flexibility and better separation of security roles than a single forest/single domain. The second domain will sit below our empty root and is therefore a child domain; it will function as the main domain for our organization, where resources (e.g., groups, user and computer accounts) are located.
Figure 1: Single forest with two domains
We start by running Dcpromo on the first server to create the forest and empty root domain. Log on to Server 2008 R2 as an administrator. Make sure that you’ve given the server an appropriate name, such as DC1, and set an IP address, subnet mask, and default gateway on the server’s NIC. You can leave the NIC’s DNS settings empty and let Windows add a local address.
Run Dcpromo from the Start menu and create a new forest and domain called ADcompany.com. Note that I appended AD as a prefix to the company name to keep the internal and external DNS namespaces separate. ADCOMPANY will become the NETBIOS name for the domain. Even though the domain is intended for internal use only, it’s important to register the ADcompany.com domain on the Internet to ensure that clients can’t be accidentally redirected to a device that’s outside the organization’s control. It’s also common to use the AD.company.com namespace hierarchy, where AD becomes the NETBIOS name for the domain. In this case, assuming company.com is already registered by the company on the Internet, no additional action is required.
On the Additional Domain Controller Options screen, make sure the DNS server option is selected. After you click Next and Dcpromo begins to validate the selected options, you’ll receive a warning stating that a delegation can’t be created because the authoritative parent zone can’t be found. In other words, Dcpromo can’t find an authoritative DNS server (i.e., a server that holds a primary or secondary copy of zone data for the .com domain), where it can create a delegation zone for the ADcompany.com domain.
A DNS zone holds all resource records for one part of the namespace, such as ADCOMPANY or COM. Because this is our internal root AD domain, a delegation record in the public COM zone isn’t necessary and you can safely ignore this warning. We’ll understand more clearly what delegation means when we create our child domain.