Windows IT Pro is the leading independent community for IT professionals deploying Microsoft Windows server and client applications and technologies.
  
  
  Advanced Search 


February 2000

Integrating UNIX DNS with Windows 2000


From the February 2000 Edition
of Windows IT Pro
Tao Zhou
Focus
InstantDoc #7874
Windows IT Pro
Email this Article
Printer Friendly
Reader Comments
Digg This
Del.icio.us
RSS
Subscribe to Windows IT Pro | See More UNIX Articles Here | Reprints | Or get the Monthly Online Pass—only $5.95 a month!

Download the Code Here

Option 1: Migration
After you check your UNIX DNS implementation for SRV RR and dynamic update support, you'll likely discover that your implementation doesn't provide this support. An easy way to support the deployment of Win2K in your company is to migrate your current DNS service to Win2K DNS. Win2K DNS supports SRV RRs, dynamic updates, and AD integration.

The migration procedure is straightforward. You install a standalone Win2K server before you install a domain controller and AD. Install Win2K DNS service on the standalone server from the Networking Services dialog box. Copy the forward and reverse lookup zone files from your UNIX DNS server to the C:\winnt\system32\dns directory on the new Win2K DNS server.

You can use FTP to transfer the files from UNIX to Win2K. If you're not sure where the old zone files are in the UNIX machine, the directory statement in the named.boot or named.conf file in the /etc directory tells you which directory holds the zone files. UNIX DNS administrators often use a filename that starts with db to represent a zone file (e.g., db.acme). By default, Win2K uses a filename with a .dns extension to express a zone file (e.g., acme.com.dns), but you can use a different file-naming convention or use the old UNIX DNS zone filenames in Win2K DNS.

If your AD domain name is different from the UNIX DNS domain name, you must switch to the AD domain name for Win2K DNS. Change the old domain name in the copied zone files that are now on the Win2K DNS server to the new domain name.

You're now ready to create a new zone in the Win2K DNS administrative tool for each zone file that you copied from your UNIX DNS server. After you enter the domain name (e.g., acme.com), the New Zone Wizard prompts you to create a new zone file or use an existing zone file, as Screen 1 shows. Select the Use this existing file option, and enter the zone filename that you copied from UNIX to Win2K or the zone filename that you modified from the UNIX zone filename, such as db.acme or acme.com.dns. In the next screen, you select this DNS server to be the primary server that holds the master copy of the created zone. (BIND often calls this primary server the primary master server.) After you migrate the old zone file to the Win2K DNS server, you need to change the Allow dynamic updates setting to Yes in the General tab of the zone file's properties to enable dynamic updates for the zone. By default, Win2K sets this option to No. To enable load balancing and fault tolerance, you need to set up at least one secondary DNS server for each forward and reverse lookup zone.

With Win2K's DNS service in place, you can implement AD. If you promote a Win2K server that hosts the DNS server to a domain controller, you can integrate the DNS server into AD. All AD-integrated DNS servers are primary master servers, which store the zone information in AD and replicate one another through AD's multimaster replication mechanism. An AD-integrated DNS server also supports secure dynamic updates; this support lets you define which Win2K clients can perform a dynamic update.

If your intranet DNS servers are also your Internet name servers, you need to ask InterNIC (http://rs.internic.net) to change your domain registration to your new server names and IP addresses. In addition, you need to ask the American Registry for Internet Numbers (ARIN—http://www.arin.net) to change your IN-ADDR registration to the new name servers for reverse lookup on the Internet.

New Win2K clients and other clients can now use the new DNS servers. If you still have clients that use DHCP, you simply change old DNS server addresses to the new DNS server addresses in the DHCP server's configuration. The old client receives the new DNS server addresses the next time the client renews its IP address or the user restarts the computer.

Option 2: Coexistence
Most companies running a UNIX DNS service have heterogeneous OS environments that include Linux, Novell NetWare, UNIX, and Windows systems. To minimize the interruption to non-Windows users when you deploy Win2K, you can create a DNS subdomain and dedicate it to AD. AD doesn't require a two-level domain name such as acme.com. You can set up your AD root domain as a subdomain (e.g., win2k.acme.com) in your company's UNIX DNS hierarchy. In Figure 1, win2k is a subdomain of the Acme Corporation's existing DNS system. The win2k subdomain uses the Win2K DNS service.

For the Win2K DNS service to function in the new subdomain, you need to create a separate DNS zone for the subdomain and delegate the subdomain to at least one Win2K DNS server. This DNS server becomes an authoritative name server and provides DNS service for the subdomain. For example, if you install two name servers, ns1.win2k.acme.com and ns2.win2k.acme.com, for the subdomain win2k.acme.com, you can delegate the subdomain to both name servers in the acme.com domain. The two name servers become authoritative name servers for the subdomain win2k.acme.com and provide fault tolerance and load balancing.

You complete the delegation by adding an NS record for the subdomain to the parent domain's zone file. For example, to delegate the subdomain win2k.acme.com to the name server ns1.win2k.acme.com in the acme.com domain, you enter the following BIND statement in the zone file of acme.com:

win2k	86400	IN  NS  ns1.win2k.acme.com.

You also need to include an A record for the host ns1.win2k.acme.com in the acme.com zone file.

Next, you need to set up a reverse lookup zone for the Win2K subnet. If your Win2K systems will reside on a separate subnet, you can use Win2K DNS servers to perform reverse lookups of host names. If your Win2K and non-Windows computers reside on the same subnet, you need to use your UNIX DNS systems as name servers for reverse lookup zones or switch to Win2K DNS. If you don't plan to use Win2K DHCP to dynamically register PTR records, you can continue to use UNIX DNS for reverse lookup. If you plan to take advantage of Win2K DNS's dynamic PTR record updates and your UNIX DNS server doesn't support this functionality, you need to switch to a Win2K DNS server for reverse lookup.

Alternatively, Win2K and UNIX DNS servers can work together as primary and secondary name servers for the same zone. For example, in Figure 1, the Win2K DNS server that primarily serves the win2k subdomain can be a secondary name server for the acme .com zone. Using this setup, a Win2K user in win2k.acme.com can quickly resolve a UNIX host name from the local Win2K DNS server. If your UNIX DNS server supports SRV RRs, you can set up a UNIX name server as a secondary name server of the AD domain. However, if the UNIX DNS server doesn't support dynamic updates, don't make that server an authoritative name server for the zone. When a DNS client sends a dynamic update to the zone's authoritative name server, the authoritative server forwards the update to the zone's primary master server for a zone update. If an authoritative name server doesn't support dynamic updates, it can't understand or service an arriving dynamic update request. A UNIX DNS server can be a secondary server to a Win2K DNS server even if the Win2K DNS server is AD-integrated. However, an AD-integrated DNS server can't be a secondary name server.

Option 3: Only UNIX DNS
Companies that have long run UNIX DNS servers might regard the network naming service as a part of UNIX administration and intend to use UNIX DNS throughout and after a Win2K deployment. If you're managing the UNIX DNS service for such a company, you probably need to upgrade your UNIX DNS servers to a version that supports SRV RR and dynamic updates because Win2K and AD require this support. BIND is the most popular UNIX DNS implementation, so I'll focus on upgrading and using BIND to support Win2K. If you want to use an alternative UNIX DNS implementation, consult the vendor and request a new DNS version that supports SRV RRs and dynamic updates.

Developers at the University of California at Berkeley originally wrote BIND. ISC now maintains and develops BIND and has ported BIND to almost all UNIX platforms, including Linux. ISC has also ported BIND 8.2.2, which is the most recent version, to NT. ISC is developing BIND 9, which will change the underlying BIND architecture to support fast-growing Internet zones (e.g., .com) and include additional new features. As I discussed previously, BIND 8.2.2 fully supports Win2K. BIND is open-source freeware that you can download from ISC's FTP server (ftp://ftp.isc.org/isc/bind/src).

After you unzip and tar (i.e., archive) the BIND distribution file, you'll find BIND source code located in the src directory under the directory you saved the BIND distribution file in. In the src/port directory, you'll find about 20 directories, such as solaris and winnt. Each OS-named directory contains a makefile file that lets you use a C compiler from your OS vendor or GNU's GCC compiler (http://www.gnu.org) to easily compile BIND for your OS platform. The INSTALL file in the src directory includes instructions for compiling and installing BIND for your OS.

BIND 8.x uses a different configuration filename than BIND 4.x uses. In BIND 4.x, the configuration file is named.boot, and in BIND 8.x, the configuration file is named.conf. This file specifies the location of zone files, sets global and zone-specific parameters, and instructs the BIND server to read and load zone files when the named daemon starts. This file is often in the /etc directory. BIND 8.x also uses a different syntax in named.conf than BIND 4.x uses in named.boot. Listing 1 shows an example of a BIND 8.2.2 named.conf file. If you upgraded from BIND 4.x to BIND 8.2.2, you need to convert named.boot to named.conf. Fortunately, BIND 8.2.2 offers a bind-bootconf shell script in the src/bin/namedbootconf directory to convert named.boot to named.conf without a manual modification.

By default, BIND 8.2.2 disables dynamic updates. You must enable the dynamic update function per zone. To enable dynamic updates in a zone, you need to add an allow-update {address_match_list} statement to the zone's section of BIND's named.conf file. You can use an existing zone or create a new zone based on your AD design. The IP addresses in the allow-update address match list tell the system which hosts in the list to authenticate for dynamic updates. For example, in Listing 1, named.conf allows only hosts in the subnet 192.168.1/24 to dynamically update the forward lookup zone acme.com and reverse lookup zone 1.168.192.in-addr.arpa. However, this authentication method doesn't fend off attacks. Attackers can use a host listed in the address match list to attack a dynamic zone by sending a dynamic update request that deletes an important record or all records in the zone. To ensure DNS data authentication and integrity, RFC 2065 implemented DNS Security (DNSSEC) extensions in BIND 8.2.2. Unfortunately, Win2K doesn't support DNSSEC, so you can't use DNSSEC in BIND 8.2.2 in a Win2K deployment.

The format of a zone file in BIND 4.x and BIND 8.x is the same. However, to support negative caching of DNS queries (functionality that RFC 2308 standardized), BIND 8.2 and later use the seventh parameter in a System Object Access (SOA) record (i.e., minimum TTL) as an explicit negative caching TTL parameter. If a DNS resolver tries to query a nonexistent record, the negative caching TTL parameter tells the DNS resolver how long to cache the information stating that the resource record doesn't exist. BIND 8.1 and earlier versions that don't support RFC 2308 traditionally use the minimum TTL parameter as the default positive caching TTL value for resource records without an explicit TTL value. This positive caching TTL parameter lets a DNS resolver cache a resolved record in the amount of time that the parameter specifies. When you use an old zone file (i.e., a BIND 8.1 or earlier zone file) for BIND 8.2.2, you need to add a $TTL directive (e.g., $TTL 86400) to specify a default positive caching TTL value in the zone file. The $TTL directive placed before the SOA record becomes the default positive caching TTL value for all records in that zone. If you don't add a $TTL directive, BIND 8.2.2 uses the negative caching TTL value as the positive caching TTL value, and the negative caching TTL value is usually much smaller than the positive caching TTL.

After you make necessary changes to the named.conf file and zone files, you can start or restart the named daemon so that it uses the new configuration and zone files. You might want to use the BIND nsupdate utility first to ensure that your DNS server supports dynamic updates. After you verify your server's support, your BIND DNS server is ready to accept dynamic updates from Win2K systems. When BIND receives a dynamic update, it saves the update in a log file whose name corresponds with the zone name (e.g., db.acme.log) and updates the DNS data in memory. BIND updates the zone file periodically (about once an hour) and removes the old log file when BIND commits the update. In this way, BIND aggregates dynamic updates to a batch process rather than updating the zone file every time BIND receives a dynamic update. This mechanism can simultaneously handle numerous updates.

When you use dynamic updates for a zone in BIND, don't manually modify the zone file. BIND sets the zone file attribute to read-only after it updates the zone, so any manual changes you make between zone updates will be lost. If you need to add, remove, or modify a record, you can use the nsupdate utility to manually send a dynamic update request to the zone.

BIND 8.2 and later support incremental zone transfer (RFC 1995 defines this functionality), which lets a secondary name server (a slave name server in BIND 8.x terminology) transfer only changes rather than an entire update. The BIND master server maintains the changes between one SOA serial number and the next in a zone's .ixfr file (e.g., db.acme.ixfr). When a slave server requests an incremental zone transfer, the master server transfers only the changes. Win2K DNS supports incremental zone transfer.

Ready, Set, Go
Now that you have a better understanding of Win2K's DNS requirements, you can decide which option will work best to integrate your UNIX DNS service and Win2K. After you set up a functional DNS infrastructure that supports SRV RR and dynamic updates, you're ready to deploy Win2K and AD. This setup lets you take advantage of Win2K's enhancements and build your network applications around AD.

End of Article

   Previous  1  [2]  Next  


Reader Comments
The "Printable Version" is too broad, so that you cannot print it :(

Fabian Warkalla January 26, 2000

We want to make our Windows 2000 DNS server a secondary DNS for the Unix Primary DNS.
We host over 800 domains and *really* want to avoid having to plug each domain into Win2K's DNS program manually.
Is there a batch command that will automatically download and setup the domains?

With unix DNS, you just turn up the secondary and the primary transfers the files automatically.




Tom Gilmer February 21, 2001

Hi Tom,

I think that it should work as you describe for creating a secdonary zone and getting the records over. That's basically what NT and Win2K do, I don't see why the UNIX server would not be able to do it with Win2K, as long as it's the most current version.

Have you thought about just copying the "zone" files from UNIX to Windows? When restoring DNS, those are the files that are required in NT.

I don't know how this would work if you integrated your DNS into Active Directory, but it would be logical that it would not be any different... except that there would be no zone files in the integrated version.

Let us know.

Cheers.

Kevin November 13, 2001

You must be a registered user or online subscriber to comment on this article. Please log on before posting a comment. Are you a new visitor? Register now




Top Viewed ArticlesView all articles
WinInfo Short Takes: Week of November 23, 2009

An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...

Command Prompt Tricks

One reader shares his tip for setting up the command prompt to reflect a remote path. ...

2009 Windows IT Pro Editors' Best and Community Choice Awards

Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
Related Events Deep Dive into Windows Server 2008 R2 presented by John Savill

Windows, Unix, Linux Interoperability

Check out our list of Free Email Newsletters!
Windows OSs eBooks Understanding and Leveraging Code Signing Technologies

A Guide to Windows Certification and Public Keys

SQL Server Administration for Oracle DBAs
Related Windows OSs Resources Introducing Left-Brain.com, the online IT bookstore
Looking for books, CDs, toolkits, eBooks? Prime your mind at Left-Brain.com

Discover Windows IT Pro eLearning Series!
Clear & detailed technical information and helpful how-to's, all in our trademark no-nonsense format


ADS BY GOOGLE

Job Openings in IT SPONSORED LINKS FEATURED LINKS
Calculate your savings now
See how SAN is 57% cheaper than DAS over three years

Free CDs Offer Fundamental Content for IT Pros
Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.

Let Your Users Reset Their Own Passwords: Free Download
Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.


Exchange Server 2010: Deploying Unified Communications - Virtual conference
December 1, 2009 - Free Registration. Build your Unified Communications future on a strong Exchange Server 2010 foundation.

Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide
Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!

Migration, Virtualization, Availability, and Desktop Management
Realize the importance of a workload optimization strategy...it can affect your bottom line!

Deep Dive into VMware vSphere, eLearning Series
Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Windows IT Pro Home Register FAQ for Windows WinInfo News
Europe Edition About Us Contact Us/Customer Service Media Kit Affiliates / Licensing  
SQL Server Magazine Office & SharePoint Pro DevProConnections IT Job Hound
Left-Brain.com Technology Resource Directory asp.netPRO ITTV Windows SuperSite 
 
 Windows IT Pro is a Division of Penton Media Inc.
 © 2009 Penton Media, Inc. Terms of Use | Privacy Statement