How to configure DNS for Active Directory

Correct DNS configuration is essential when using Active Directory. It underpins critical server operations such as domain controller replication  as well as client-server communications. Before working on AD configuration you should have a sound understanding of how DNS works, including knowledge of performing DNS diagnostics such as looking up a DNS record from an authoritative source in debug mode.

Expand All

Microsoft Active Directory uses DNS to enable servers and workstations to locate services (such as domain controllers) running within the Active Directory namespace.

To support an Active Directory domain called example.org, DNS servers that manage the example.org subdomain must be available to your domain controllers and workstations. The domain name that your AD uses is called your internal DNS namespace. The domain that you have registered for use on the internet (either as a service provider, or as an internet client) is called your external DNS namespace.

The two namespaces do not have to be the same, giving rise to three main architectures:

  1. Internal and external DNS namespace are the same - use your unit DNS domain for your AD - this is our recommended and most common deployment
  2. Internal DNS namespace with referral to a different external DNS namespace - this might be the case if your unit DNS has changed since your AD was configured, or if you need to operate more than one AD domain within your unit
  3. Internal DNS namespace only, used only on your own network - an unlikely configuration at Oxford as this excludes internet access and not detailed below

Microsoft provides further details on DNS namespace planning, using disjoint namespace, and split-brain DNS.

 

Pre-requisites

Note or decide the following details before you start:

  1. The name of your domain must be the same as the DNS subdomain name of your unit (unit.ox.ac.uk). If you have multiple DNS names available to your unit, you need to decide which to use
  2. Choose a NetBIOS name for your domain that won't clash with existing names used in Oxford, including the central WINS service
  3. The names and IP addresses of the servers that will run the DNS service. Generally these will be your domain controllers and you should operate at least two

Known Issues

Domain controllers will be unable to register an A record resolving to their own IP address for the name of the domain (unit.ox.ac.uk) with the central DNS servers. Although this is not generally an issue, it can break some functionality:

  • Systems that are not joined to the domain fail to locate domain DFS namespaces via DNS
  • Attempting to create a DFS namespace on a 2008 server in the domain may fail with an RPC error
  • Joining Mac OS X 10.5 clients to a domain fails for versions prior to 10.5.3. This was resolved as of 10.5.3

If you are affected by either of the DFS issues, or if you think you may have discovered other functionality that is broken by these missing records, please contact us.

Installing and Configuring DNS on the First Domain Controller

  1. On the first domain controller, open the TCP/IP properties of the network connection and make sure that the DNS servers listed are the current central DNS servers
  2. Use dcpromo to install Active Directory onto the first server in a domain. With Server 2008 you can also use the Server manager to add the Active Directory Domain Services role; make sure you select Use advanced mode installation when the Active Directory Domain Services Installation Wizard starts up.
  3. On the Additional Domain Controller Options page (Windows Server 2008), make sure that DNS will not be installed if you are given this option (Windows Server will probably tell you that it can't install it anyway as it isn't authoritative for the domain). On 2008 Server Core, use InstallDNS=No in an answer file, or /InstallDNS:No as a command-line switch to dcpromo
  4. Use Add/Remove Programs > Windows Components > Networking Services or Configure Your Server to install the DNS service. For 2008 Server Core use start /w ocsetup DNS-Server-Core-Role. Don't worry if Windows Server warns you about the domain authority
  5. Open Administrative Tools > DNS management. Delete the unit.ox.ac.uk zone if it exists, but keep the _msdcs.unit.ox.ac.uk zone
  6. Select Forward Lookup Zones > New Zone to create the following zones, configuring them as Active Directory-integrated and Allow secure dynamic updates_tcp.unit.ox.ac.uk_udp.unit.ox.ac.uk_sites.unit.ox.ac.uk_msdcs.unit.ox.ac.uk, DomainDnsZones.unit.ox.ac.ukForestDnsZones.unit.ox.ac.uk
  7. For 2008 Server Core, use another machine to administer DNS, or use dnscmd, which is beyond the scope of these instructions
  8. For each zone, configure an appropriate contact address (Responsible person) under the Start of Authority (SOA). This is often an email address with a . substituted for the @ and a further . appended to the end of the address
  9. For the forest root domain only, edit the properties of the _msdcs.unit.ox.ac.uk domain and on the General tab ensure that it is configured to Replicate to All DNS servers in the Active Directory forest. Other domains should be configured to Replicate to DNS servers or domain controllers within the domain
  10. In the DNS management tool select the Server object > Properties > Forwarders and configure your DNS servers to send all requests for information that they do not hold themselves to the DNS Caching Resolvers. Make sure there is an entry for All other DNS domains and add the addresses for each of the central DNS resolvers to the forwarders list for this entry
  11. Register your domain DNS servers with the central DNS service using the Hydra bulk edit template for ADSRV. Always register canonical names rather than aliases
  12. Open TCP/IP properties of the network connection and replace any DNS server address(es) with the address of your new DNS server (its own address)
  13. Reboot the server, restart the NetLogon service, or wait a few hours to trigger the registration of records in the DNS
  14. Compare C:\Windows\System32\Config\netlogon.dns with the entries in the DNS management tool. You may need to refresh or even restart the DNS management tool before you can see them
  15. Check the event logs for errors. Event ID 5774 is expected if it reports a problem registering the host (A) record for the domain itself. You can suppress this by adding a multistring value (REG_MULTI_SZ) value called DnsAvoidRegisterRecords under HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters, with data value LdapIpAddress. See Restrict the DNS resource records that are updated by Netlogon
  16. Run netdiag /v /test:dns and dcdiag /v /test:dns and confirm that everything looks healthy

Configuring the Second and Subsequent Domain Controllers

  1. Open the TCP/IP properties of the network connection and replace any DNS server entries with the address of your Windows DNS server (usually your first domain controller)
  2. Use dcpromo to install Active Directory adding the server as a new server in an existing domain. Again, ignore any warnings about Windows server refusing to install DNS. On 2008 Server Core, use InstallDNS=No in an answer file, or /InstallDNS:No as a command-line switch to dcpromo
  3. Use Add/Remove Programs > Windows Components > Networking Services or Configure Your Server to install the DNS service if necessary. For 2008 Server Core use start /w ocsetup DNS-Server-Core-Role. You don't need to configure the zones again as the Active Directory-integrated zones you configured on the first DC will be replicated automatically (although this can take a while)
  4. Open DNS management program and check that the following zones are visible: _tcp.unit.ox.ac.uk_udp.unit.ox.ac.uk_sites.unit.ox.ac.uk_msdcs.unit.ox.ac.ukDomainDnsZones.unit.ox.ac.ukForestDnsZones.unit.ox.ac.uk. On Windows 2008 Server Core, use DNSCMD or remote management. It may take a while for the zones to appear
  5. In the DNS management tool select the Server object > Properties > Forwarders and configure your DNS servers to send all requests for information that they do not hold themselves to the DNS Caching Resolvers. Make sure there is an entry for All other DNS domains and add the addresses for each of the central DNS resolvers to the forwarders list for this entry
  6. Register your additional domain DNS server with the central DNS service using the Hydra bulk edit template for ADSRV. Always register canonical names rather than aliases
  7. Open TCP/IP properties of the network connection and replace any DNS server address(es) with the address of your new DNS server (its own address)
  8. Reboot the server, restart the NetLogon service, or wait a few hours to trigger the registration of records in the DNS
  9. Compare C:\Windows\System32\Config\netlogon.dns with the entries in the DNS management tool. You may need to refresh or even restart the DNS management tool before you can see them
  10. Check the event logs for errors. Event ID 5774 is expected if it reports a problem registering the host (A) record for the domain itself. You can suppress this by adding a multistring value (REG_MULTI_SZ) value called DnsAvoidRegisterRecords under HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters, with data value LdapIpAddress. See Restrict the DNS resource records that are updated by Netlogon
  11. Run netdiag /v /test:dns and dcdiag /v /test:dns and confirm that everything looks healthy
  12. On all other domain controllers, open the TCP/IP properties of the network connection and add the IP address of your new domain controller/DNS server to the list of servers. Make sure that DNS servers have their own address first in the list (putting it lower down can result in 5 to 10 boot delays)

Choosing an AD domain name

You need to do is to choose a name for your domain that doesn't exist in global DNS and is never likely to exist. We recommend that you use a subdomain of your DNS name such as unit-ad.unit.ox.ac.uk.

You may already be using a subdomain of a top level domain such as unit-ad.local. If this is working for you then there is no immediate need to change. However, you may experience problems with multicast DNS and zeroconf solutions, creating SSL certificates and similar operations that depend on DNS.

Further naming considerations are

  • Do not use made-up top level domain names as these cause unnecessary traffic for the root name servers
  • Do not make up a new subdomain of ox.ac.uk as this might be registered as a real subdomain in the future
  • Make sure the first part of the name (unit-ad in the example above) isn't going to clash with another unit's choice of name in the central WINS service
  • If you use a subdomain of your existing domain, make sure that the name you choose is not, and will never be registered as a hostname in the central DNS
  • If you need more than one domain you can pick another subdomain such as unit-ad2.unit.ox.ac.uk or nested subdomain such as unit-ad2.unit-ad.ox.ac.uk. Again, take care if using the central WINS service

Pre-requisites

  1. Choose your internal AD domain (see Choosing an AD domain name above)
  2. Make sure you know the names and IP addresses of the servers that will run the DNS service. Generally these will be your domain controllers and you should operate at least two

Installing and Configuring DNS on the First Domain Controller

  1. On the first domain controller, open the TCP/IP properties of the network connection and make sure that the DNS servers listed are the current central DNS servers. Also ensure that the server name and IP address are registered in the central DNS
  2. Use dcpromo to install Active Directory onto the first server in a domain. With Server 2008 you can also use the Server manager to add the Active Directory Domain Services role; make sure you select Use advanced mode installation when the Active Directory Domain Services Installation Wizard starts up.
  3. On the Additional Domain Controller Options page (Windows Server 2008), make sure that DNS will be installed if you are given this option (Windows Server will probably tell you that it can't install it anyway as it isn't authoritative for the domain). On 2008 Server Core, use InstallDNS=Yes in an answer file, or /InstallDNS:Yes as a command-line switch to dcpromo
  4. Open Administrative Tools > DNS management > Forward Lookup Zones. You should see one entry for unit-ad.local, and if this is the first domain in a forest (the forest root) you should also see a zone called _msdcs.unit-ad.local. If these zones are not present then create them in the Forward Lookup Zones folder, configuring them as Active Directory-integrated and Allow secure dynamic updates, remembering that you only need the second zone if this is the first domain in a new forest
  5. For the forest root domain only, edit the properties of the _msdcs.unit.ox.ac.uk domain and on the General tab ensure that it is configured to Replicate to All DNS servers in the Active Directory forest. Other domains should be configured to Replicate to DNS servers or domain controllers within the domain
  6. Register your domain DNS servers with the central DNS service using the Hydra bulk edit template for ADSRV. Always register canonical names rather than aliases
  7. Open TCP/IP properties of the network connection and replace any DNS server address(es) with the address of your new DNS server (its own address)
  8. Reboot the server, restart the NetLogon service, or wait a few hours to trigger the registration of records in the DNS
  9. Compare C:\Windows\System32\Config\netlogon.dns with the entries in the DNS management tool. You may need to refresh or even restart the DNS management tool before you can see them
  10. In the DNS management tool select the Server object > Properties > Forwarders and configure your DNS servers to send all requests for information that they do not hold themselves to the DNS Caching Resolvers. Make sure there is an entry for All other DNS domains and add the addresses for each of the central DNS resolvers to the forwarders list for this entry
  11. Check the event logs for errors. Event ID 5774 is expected if it reports a problem registering the host (A) record for the domain itself. You can suppress this by adding a multistring value (REG_MULTI_SZ) value called DnsAvoidRegisterRecords under HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters, with data value LdapIpAddress. See Restrict the DNS resource records that are updated by Netlogon
  12. Run netdiag /v /test:dns and dcdiag /v /test:dns and confirm that everything looks healthy

Configuring the Second and Subsequent Domain Controllers

  1. Open the TCP/IP properties of the network connection and replace any DNS server entries with the address of your Windows DNS server (usually your first domain controller)
  2. Use dcpromo to install Active Directory adding the server as a new server in an existing domain. Choose to install the DNS server with Active Directory Domain Services if you are offered this on the Additional Domain Controller Options page. On 2008 Server Core, use InstallDNS=Yes in an answer file, or /InstallDNS:Yes as a command-line switch to dcpromo
  3. Use Add/Remove Programs > Windows Components > Networking Services or Configure Your Server to install the DNS service if necessary. For 2008 Server Core use start /w ocsetup DNS-Server-Core-Role. You don't need to configure the zones again as the Active Directory-integrated zones you configured on the first DC will be replicated automatically (although this can take a while)
  4. Open DNS management program and check that the following zones are visible: unit-ad.local_msdcs.unit-ad.local. On Windows 2008 Server Core, use DNSCMD or remote management. It may take a while for the zones to appear
  5. Register your additional domain DNS server with the central DNS service using the Hydra bulk edit template for ADSRV. Always register canonical names rather than aliases
  6. Open TCP/IP properties of the network connection and replace any DNS server address(es) with the address of your new DNS server (its own address)
  7. Reboot the server, restart the NetLogon service, or wait a few hours to trigger the registration of records in the DNS
  8. Compare C:\Windows\System32\Config\netlogon.dns with the entries in the DNS management tool. You may need to refresh or even restart the DNS management tool before you can see them
  9. In the DNS management tool select the Server object > Properties > Forwarders and configure your DNS servers to send all requests for information that they do not hold themselves to the DNS Caching Resolvers. Make sure there is an entry for All other DNS domains and add the addresses for each of the central DNS resolvers to the forwarders list for this entry
  10. Check the event logs for errors. Event ID 5774 is expected if it reports a problem registering the host (A) record for the domain itself. You can suppress this by adding a multistring value (REG_MULTI_SZ) value called DnsAvoidRegisterRecords under HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters, with data value LdapIpAddress. See Restrict the DNS resource records that are updated by Netlogon
  11. Run netdiag /v /test:dns and dcdiag /v /test:dns and confirm that everything looks healthy
  12. On all other domain controllers, open the TCP/IP properties of the network connection and add the IP address of your new domain controller/DNS server to the list of servers. Make sure that DNS servers have their own address first in the list (putting it lower down can result in 5 to 10 boot delays)

If you have a forest with more than one domain, or you need to set up trusts between two domains in different forests.

In all cases, make sure that your firewall configuration is correct, as described elsewhere on this page. Also make sure that the domain controllers, including the DNS servers, running in the different domains can communicate with each other through any firewalls that are between them.

Further troubleshooting for Option 1

When using your primary DNS namespace for your AD with the Option 1 configuration above then everything should work with minimal additional configuration.

Check that only the _msdcs.unit.ox.ac.uk zone is configured to replicate to all DNS servers in the Active Directory forest.

Further troubleshooting for Option 2

Configuring name resolution between multiple domains when separate internal DNS namespaces requires each domain to be manually configured with the DNS server settings for the internal namespaces. The following options are suggested but untested:

  1. Where both domains are in the same forest, edit the properties of all DNS zones to Replicate to All DNS servers in the Active Directory forest
  2. Configure the DNS servers in each domain to forward queries for the other zone to DNS servers in the other domain
  3. If you have two separate forests, configure secondary zones for each domain on the other domain's DNS servers

For Option 1

Clients can be configure to use either the central DNS servers or your Active Directory DNS servers. Additional tools that IT Services use for diagnosing security and configuration issues will only apply for clients using the central servers.

If using the central servers, make sure that firewalls are configured correctly as per the previous section or lookups routed through the central resolvers may fail.

You cannot configure your clients to register their names and IP addresses automatically in DNS. This can cause application problems if the client Windows name does not match the first part of its registered DNS name. The simplest solution to this issue is to make sure that the names match.

Disabling dynamic DNS registration

Please ensure that you disable the default Windows option on clients to register the computer name and IP address in DNS at boot time. This causes extra load on the Oxford DNS servers and will result in errors being logged that may confused diagnosis of network or AD problems. Never disable this setting on domain controllers as this will also stop them registering their service records.

  1. Select Start  , begin typing connection, select View network connections
  2. For each connection that might be used (usually named Ethernet and Wifi) visit Properties > Internet Protocol Version 4 (TCP/IP) > Properties > Advanced > DNS and deselect Register this connection's addresses in DNS
  3. Also disable this for IPv6 on each connection: Properties > Internet Protocol Version 6 (TCP/IP) > Properties > Advanced > DNS and deselect Register this connection's addresses in DNS

For Option 2

Clients must be configured to use your Active Directory DNS servers. It is a good idea to include at least one of the central resolvers so that clients can still locate internet services even if your domain controllers are unavailable.

You can configure your clients and servers to register their names and IP addresses dynamically in DNS. You must continue to use the normal mechanisms via the IT Services web pages to register them for addresses that can be resolved externally.

If the network connection between your unit and IT Services is unavailable then you may find that logging in becomes very slow, or experience other name resolution issues. This happens because although most Active Directory records are registered on your local DNS servers, which continue to be accessible, the host records that translate between names of servers and IP addresses are held on the IT Services DNS servers.

If this is a problem for your unit, you may be able to provide resilience by running a secondary name server for the ox.ac.uk zone and asking IT Services to arrange for zone transfers to be allowed to a designated server. You then need to make sure that your domain controllers are configured to look up requests for ox.ac.uk via this name server. You can do this by configuring your DNS servers to forward requests for information about ox.ac.uk to this secondary server (add an entry for ox.ac.uk in the Forwarders tab in the [Properties] of the server object in the DNS management tool, or on Windows 2008, by an entry in the Conditional Forwarders folder).

You may be able to configure one of your existing Windows DNS servers to act as this secondary server. To enquire about this service, email IT Services in the usual way. If you decide to use one of your Windows DNS servers to manage the secondary zone, use the DNS Manager to create a new zone of type [Secondary] and configure zone transfers as directed by IT Services.

Perimeter, segment and device firewall restrictions that block DNS traffic can give rise to server and client problems. They can also trigger errors in the output from dcdiag and netdiag that can make it harder to identify real problems. Problems may be masked because systems fall back on NetBIOS name resolution.

If you are using Option 1, or want your clients to be able to connect from locations outside of your local networks then your AD DNS servers should be contactable from anywhere in the world. In practice however, you may want to restrict connections to the Oxford subnets, either on the servers themselves or via a separate firewall.

It is recommended that you do not lock your firewall settings for DNS traffic to and from your DNS servers down more than detailed below. The first two rows are the ones that we most often see configured incorrectly (or not allowed at all), and note that you need to allow access to the recursive source IPs.

Source Addr Source Port Dest Addr Dest Port Notes
Central DNS resolvers * Your DNS servers 53/tcp Not required with Option 2
Central DNS resolvers * Your DNS servers 53/udp Not required with Option 2
Your DNS servers * * 53/tcp  
Your DNS servers * * 53/udp  

 

Get support


Local IT support provide your first line of on-the-spot help

FIND MY LOCAL IT TEAM

 

Common requests and fault reports can be logged using self-service

   USE IT SELF-SERVICE      

   LOG A SUPPORT CALL     

VIEW MY SUPPORT CALLS  

 

The central Service Desk is available 24x7 on +44 1865 6 12345

 

If you do not have an SSO account you can use this form to contact the Service Desk