The speaker is Mark Minasi. I will only blog a few points on this presentation only because it’s material that Mark make’s a living from. Despite the data here, I really recommend you attend Mark’s sessions of you get a chance … there’s always much more to be learned from him in person.
- DNS is the cause of most Active Directory issues. True enough based on my experiences.
- WINS is not dead. Still used by many technologies. Try disabling it in a lab first. WINS is a W2008 feature. IPv6 is not WINS aware.
- Computer Browser (network neighbourhood service) is turned off by default. Network Discovery (multicast instead of broadcast) is disabled by default. Uses UDP 3702, TCOP 5357 (HTTP) and 5358 (HTTPS). Based on WS-Discovery. Removing legacy (pre Vista/W2008) machines reduces LAN traffic.
- Background zone loading: LOTS (thousands) of AD integrated zones can take 1 hour to boot a DC – DNS loads and checks all zones before completing service startup. Now, DNS fires up and loads zones, thus allowing DC to boot faster. DNS multithreaded. DNS can do LDAP query to another DC while the AD-I zone is unavailable. Not able to accept updates until all zones are loaded.
Administration
- Can install DNS and/or ADDS on Server Core. Use DNSCMD to manage DNS. Now in the OS, not in resource kit.
- For your first zone create on Core using DNSCMD, restart the DNS service to make it work. There’s a weirdness there in the DNS service. After first zone, everything is fine.
- Keep reverse zones to facilitate site based GPO and to quell DNS chatter on PTR records. All computers attempt to register PTR records even if you have no ADI PTR zone. In that case, the registration attempt can go out onto the Internet. Not nice at all! See "prisoner.iana". Or use GPO to disable PTR registration.
- Beware the dodgy DCPROMO DNS wizard trying to create a delegation of .com, etc for your root domain. Just say "no". And even if things are OK, you get a warning about the zone already existing. It’s a nonsense error.
- RODC’s cannot accept changes to AD-I zones. That DNS traffic will want to go to a read/write copy of AD across the WAN. Use ADSIEdit to modify the permissions of that zone to allow the group of RODC’s to write to the zone.
- Branch Office DC offline => PC’s in the branch office will hit any random DC on the WAN for logon. We now have "Rediscover". Automatic on W2008 and Vista. KB939252 for XP and W2003. GPO: Computer ConfigurationAdministrative TemplatesSystemzNetlogonDC Locator DNS RecordsForce Rediscovery Internal. The default value is 12 hours (measured in seconds). Vista and W2008 will operate differently – uses site links to find the next nearest site. Another reason to put in sites and site links – DO NOT USE DEFAULT SITE LINK! It’s lazy and leaves other things unprepared for other services, e.g. Exchange 2007.
IPv6 and Name Resolution
- Uses LLMNR 0 link local multicase name resolution. Requestor multicasts to UDP 5335. Answerer unicasts to requestor on UDP 5335.
- AAAA (quad-A) gives name-IPv6 name resolution. Vista and 2008 automatically registers AAAA. Link local addresses that start with FE80 don’t register in DNS. W2003 DNS handles AAAA.
New DNS Record Types
- DNAME: map nasty long DNS names to short friendly ones. It’s similar to CNAME, just for domain names. Handy in migration scenarios. It’s an RFC record type. Example. Move A or AAAA records to new zone. Create a DNAME record in the old zone. You cannot do this in the GUI – use DNSCMD. dnscmd /recordadd oldzone.com @ DNAME newzone.com. The response is like "Oh sorry that doesn’t exist. Did you mean this instead?". Records in the old zone then DNAME stops working … leave the defaults there, e.g. SOA, NS, etc.
- Post-WINS single label names: Use NetBIOS style names for DNS lookups, e.g. myserver instead of myserver.myzone.com. Requires 2008 be on all DNS server. Use a zone called "GlobalNames". Enable global name resolution on all DNS servers with that zone. Now add CNAME’s in this zone, e.g. myserver maps to myserver.myzone.com. Best to use AD integrated zones. Put it in ForestDNSZones makes sense for this – it’s a global zone. You can use it for WINS replacement for manageable numbers of records; they’re manually created.