Active Directory and DNS
Created 2000-03-18 by Rainer
Updated 2001-03-13 by Rainer
Microsoft's Active Directory relies heavily on DNS. DNS is used to find
important resources like domain controllers. Because these in turn are
needed to authenticate users, Windows 2000, XP or 2003 will not work properly without a
correctly configured DNS.
Unfortunately, Microsoft has decided to use very new standards in it's DNS.
The Windows 2000/XP/2003 environment relies on options like dynamic DNS and - to some
degree - Unicode characters in DNS records. While most of this are open
standards, they are only seldom used outside of the Microsoft environment. So in
reality, only the Microsoft DNS server will ensure proper and hassle-free DNS
operation. And if I say Microsoft DNS I mean the one that comes with Windows
2000 or newer operating systems - the Windows NT 4 DNS server won't help much.
This article describes Microsoft's approach, the issues with that and how to
work around them.
Why needs Windows 2000 DNS?
Microsoft has decided to build Active Directory on top of open standards. DNS
is *the* Internet standard for resource location. However, so far it was mostly
used to resolve host names to IP addresses. Typically, it is used to get the IP
address of the host with name e.g. www.windows-expert.net
so that a browser can technically connect to that machine.
However, DNS is more than an IP address resolver. DNS is a distributed
database of so-called resource records. There are many resources besides IP
addresses, most notable name servers or mail exchangers (a.k.a. mail servers). A
relatively new record is the so-called service (SRV) record. That one is used to
describe services residing on machine - for example a domain controller service.
SRV records are an open standard. It is not only supported by Microsoft but also
other vendors. However, other vendor's support is limited and only available in
current releases. The widespread used BIND (Berkley Internet Name Daemon) DNS
server - the de-facto standard under Unix - must have at least version 8.1.2. If
it is an older version, problems will arise almost instantly.
Active Directory uses SRV records to locate any and all services. Not only is
the domain controller detected by SRV records, they also point to global catalog
servers and other important services. Windows 2000 must be able to resolve
references to these services. Otherwise it will fail. Correct DNS records are
of uttermost importance for a healthy Active Directory.
What is DDNS?
So how do these (numerous) entries find their way to the DNS database. The
typical answer so far was: a system administrator has manually entered them into
it. If you have a look at the number of entries that Active Directory depends on
- and their change rate - not a really practical answer. Especially if you take
a look at all clients (e. g. Windows 2000 Professional or Windows XP
Professional) that of course need to be registered in DNS, too.
Clearly, a solution needs to be found to do it automatically. Fortunately,
there is DDNS, the "dynamic" DNS. That standard enables systems to
automatically enter their DNS records into the server's database themselves. For
example, a newly installed Windows 2000/2003 server registers it's IP addresses into
DDNS as well as the SRV-records for any services running on it. Manual entries
need not to be made.
Sound like a perfect solution? Well, what on this world is perfect... First
of all, the number of DNS servers supporting DDNS is limited (especially the
number of these ones working well...). Secondly, and that is even harder, DDNS
has a number of security weaknesses. So you are typically limited in you options
and will carefully evaluate if you would like to have DDNS running as your
Internet (external) DNS server.
But beware - DDNS is really a life-safer in the Active Directory context and
its problems can be worked around. Practically, we recommend using the
Windows 2000 DDNS server instead of any third party product. Fortunately that
server can neatly be integrated into existing DNS infrastructures. Just ensure
that Windows 2000, XP, 2003 or other Active Directory systems only use DDNS servers.
Theoretically, you can also use a non-dynamic DNS server (that ones with the
manual database entries). But we recommend this option only if you absolutely do
not know how to fill all of that spare time...
So what does this mean in Reality?
Active Directory dependence on DDNS has some clear results: A Windows 2000
server without Active Directory can be used with any DNS server without
any problems. For example, you can use your ISP's DNS server (as often done). However,
if on that very same machine Active Directory is installed, you should point it
to one of the Active Directory domain's DDNS servers. Except, again, you have
lots of spare time...
Unfortunately in many cases the previous DNS settings is preserved. This most
often happens during an upgrade from NT 4 DC to Windows 2000. Because the
previous DNS server does not support DDNS, the upgraded Windows 2000 domain
controller can not register itself into it. If that is the case, the Active
Directory DC logs an error message to the Windows event log. However, most users
(and even most admins) do either not see that message or can not interpret it
correctly (it is a bit cryptic if you don't know the exact specifics).
Once this DNS problem has persisted, the real trouble begins. Active
Directory is unable to function correctly due to missing DNS records and as such
vital resources. Unfortunately, Windows 2000 falls back to pre-Active Directory
methods for e. g. authentication, so the systems works to a certain degree.
However, all pure Active Directory functions fail, the Windows event log rapidly
fills with more and more additional error messages. If you try to install an
additional AD DC in this situation, it will fail - once again with a very
cryptic and hard to understand error message. In fact, the error says that the
domain does not exist - but the wizard itself displays the domain to be present.
Sounds like you would be puzzled? I bet you will!
Messages like that are a clear indication of an incorrectly configured DNS or
missing entries. In most cases, a missing DDNS is the root cause of all this
errors. In the authors personal experience, missing DDNS or otherwise
misconfigured DNS is the number 1 trouble spot in Active Directory
To avoid this, follow our #1 rule for Active Directory: Before installing
your first Active Directory server, a working DDNS needs to be installed.
It's easy: add a Microsoft DNS server to the first Windows 2000 server that is
being installed. It's just a matter of minutes if you follow the wizard. Most
wizards will also automatically install the DNS server if you don't oppose it.
Once the DNS server is set up, the DNS zone for Active Directory needs to be
created. Easily done with DNS manager (under "Forward-Looking Zones).
But having the DNS server and DNS zone in place is not sufficient: It needs
to be used by your systems! Once again, here very often a mistake occurs. Most
people tend to use their provider's DNS server, because that is what they did
all the time. But this is not an option for Active Directory! So you want to
make sure you use your own (D)DNS server. Manually, this is done via the network
The screenshot shows a typical Active Directory server setup: that server is
working as a DDNS server as well and its preferred DNS server points to itself.
So it will be able to register its DNS records and query them successfully. By
the way: all dialogs say "DNS" - read it as "DDNS" and you
will have less trouble.
In many scenarios, people even have tried this setup but than lost Internet
name resolution - and then switched back to their provider's DNS server. Don't
let fool you: the setup here is correct. If you can't resolve Internet names
after doing so, please
read our related article on how to fix that!
Important: if you install other Windows 2000/XP/2003 servers and workstations
(Windows Professional), make sure that these systems do use your own DDNS server
as well. Otherwise, they won't see the vital Active Directory information and as
such will not work properly.
Also, ensure that you apply "old style" best DNS practices.
Specifically, have at least two DNS servers available. If you operate a single
server and that server fails (or is just rebooted), no DNS resolution is
available at all. During such periods, network operation is seriously affected.
If you have at least two servers, that won't happen to you. In case the first
one fails, the client automatically switches to the second one. So the
screenshot above is not really an ideal configuration - the alternate DNS server
Smooth Active Directory Installation
Once the DNS system has correctly been installed, Active Directory
installation can be carried out. Typically, this is now a painless process. If
you still experience any unexpected error messages, the server may not already
have registered all of its records into the DDNS. In this case, open up a
commend prompt and type "ipconfig /registerdns". Then wait another 15
minutes before continuing. It is also a good idea to check the event log if
there are any errors.
Please note that for all actions described here no reboot is necessary.
Microsoft has really reached its goal to reduce the number of reboots in this
By the way: most of the things described in this article are done
automatically when you run the Active Directory wizards with default settings.
However, many people see a need to modify these settings. The most common
trouble cause is Internet name resolution, which might not work correctly when
the wizards are run with the defaults. Please see our related
article if you experience any problems in that area.
Even if you run the wizards and accept default settings - checking to ensure
the wizard configured the system correctly does not harm. Instead it can be your
Active Directory must be carefully designed!
I would like to drop one important reminder. I have written this article
after seeing numerous questions on active directory DNS issues. Active directory
is a great tool with enhanced capabilities - but it is also very complex. If
someone just wants to try it on a home PC - or a lab machine - try and error may
work (but will also cause lots of frustration).
If active directory is to be setup in an corporate environment - no matter
how small or how large - try and error is definitely not an option!
Active directory requires careful design. For a small biz its an easy task to do
so - as long as you exactly know what you are talking about. So if in doubt, I
recommend going out and asking someone who knows how to do it.