DNS on Windows 2000: Migrate or coexist?

ITworld.com –

If you're planning a Windows 2000 Server domain migration, a solid DNS strategy to support deployment of Windows 2000's Active Directory (AD) is the first among your many concerns.

In companies that currently run DNS on non-Windows platforms, the factors that guide your DNS integration decisions could well be based less on technology than on corporate politics and religion. As the Windows 2000 architect, it's your job to arm yourself with the appropriate technical information to fight those political and religious battles as they arise.

Position yourself to offer solutions rather than problems. This and my next few columns on AD/DNS integration strategies should help.

Our story so far...

In my last column, I discussed in some detail how AD uses DNS to advertise services such as AD domain controllers and Global Catalog servers. I also identified why AD's base DNS requirements -- support for SRV resource records and Dynamic DNS -- are critical to a smooth AD deployment.

In addition, I laid out the three migration strategies commonly used by organizations who currently host DNS on platforms other than Windows NT or Windows 2000. To recap, those approaches are as follows: (1) Migrate your current system to Windows 2000-based DNS servers; (2) use your current DNS environment to support AD's DNS requirements; or (3) integrate Windows 2000 DNS servers into your current DNS environment. With this column, I begin to cover each of those three scenarios in more detail, starting with the first option -- migrating your current system to Windows 2000-based DNS servers.

While your current DNS may be deployed on any number of different platforms, I'll focus those columns only around integration with Unix (or Unix variant-based) DNS servers, since they account for the greatest population of DNS servers.

Organizational and technical considerations

I don't want to prejudge, but I think it's a safe bet that many Unix administrators have a general mistrust of Microsoft products. Depending on the personalities in your organization, therefore, planning for full-scale migration from Unix-based DNS to Windows 2000 AD/DNS services could be a hard-fought battle with little chance for success.

In addition, if another group in your organization is already managing DNS, consider whether you really want to champion the idea of bringing the service under your umbrella. Depending on the size of your organization, taking on DNS responsibilities could require that you cultivate greater DNS expertise than you might already have. It could also require a significant support commitment by your department.

If you still find taking on DNS an attractive proposition, and if organizational resistance is feeble -- some groups might gladly volunteer to give up DNS responsibility -- migration to Windows 2000-based DNS should not require an exhaustive effort. That's especially true compared to your other two options -- supporting AD's DNS requirements with, or integrating Windows 2000 DNS servers into, your current DNS environment.

Wholesale migration is relatively easy because DNS zone database files are simply ASCII text files that pretty much follow the same standard notations regardless of DNS implementation. You should therefore be able to simply import the majority (if not all) of your current DNS zone files to a Windows 2000 DNS server without modification. You can do that by first copying the zone files (typically named in db.zone-name format, where zone-name represents the name of the DNS forward and reverse lookup zone) to the Windows 2000 machine that will be running DNS. Then, as you use Windows 2000 DNS Manager to add a new zone, simply specify its zone file, which you copied from your Unix-based implementation.

In addition to migrating the zone files, you'll want to set the DNS options already enabled in your Unix-based DNS in your new Windows 2000 implementation. Typical options might include which hosts are allowed to perform zone transfers for each DNS zone and whether the server allows recursion. Using recursion, a server can look up records in zones the server is not authoritative for and return those records to requesting clients.

These are just a couple of the many possible settings you might want to migrate. Carefully examine feature parity between your current system and Windows 2000's DNS before you migrate, making sure you'll have support for everything you need.

Finding your footing

Here are a few general guidelines to help you pin down the location of your DNS options settings in both your current system and in Windows 2000.

For starters, most Unix-based DNS implementations are based on either the Berkeley Internet Name Domain (BIND) system -- version 4.x or earlier or 8.x or later -- or BIND-compliant systems.

In BIND, most DNS options are set in /etc/named.conf (under BIND 8.x and above) or /etc/named.boot (under BIND 4.x and earlier). Generally, options that are server-specific in nature, such as disabling recursion or specifying DNS forwarders (servers designated to forward queries to if the server is does not have an answer for a query), are found in the top portion of the /etc/named.conf file (or the named.boot file under BIND 4.x).

Under Windows 2000 DNS, server-specific options can be set in DNS Manager by right-clicking on the DNS server and selecting the Properties options. That brings up the server's Properties dialog, which presents a series of check boxes and fields for setting all of your server-specific options.

Under BIND, options that are zone specific -- such as which servers are authorized to perform zone transfers for a zone and the Time To Live (TTL) parameters for zone records -- are set in two different places: /etc/named.conf and the zone's data file. When migrating to Windows 2000's DNS implementation, options from both of those locations can be manipulated from a single place -- the zone's properties dialog box -- by right-clicking on the zone and selecting the Properties option.

Some zone-specific options, such as which hosts are authorized to perform zone transfers, are set in the zone-specific portion of /etc/named.conf (or /etc/named.boot under BIND 4.x). That example, the zone portion of a sample BIND 8.x named.conf file, illustrates the concept:

<font face="Courier">
zone "itworld.com" {<br>
       type master;<br>
       file "db.itworld";<br>
       allow-transfer {; } ;<br>

Here, the zone parameters start with the zone statement, which identifies the zone ("itworld.com"), and end with the closing brace and semicolon ("};"), which delineate the end of the zone statement. The allow-transfer keyword specifies the two hosts ns2.itworld.com and ns3.itworld.com as authorized to perform zone transfers with the server for the itworld.com domain.

Other zone-specific options such as TTL parameters and zone name servers are set in the actual zone database file itself. Those parameters should generally migrate seamlessly when you copy the zone file to Windows 2000 server's \winnt\sysytem32\dns directory and specify the zone file when adding the zone from Windows 2000's DNS Manager.

The end game

You will, however, need to make at least a couple of adjustments. First, you'll need to change the authoritative or primary name server from your previous server's to your new Windows 2000 server's hostname. In Windows 2000's DNS Manager, you can do that from the Properties dialog for the DNS zone that you added. From the Start of Authority (SOA) tab, enter the name of the server in the Primary Server field.

In addition, if they don't already exist, you will need to add a host record (A record) to the imported zone and a corresponding pointer (PTR record) to the reverse lookup zone for the subnet that server is on.

Choosing to fully migrate your current DNS to a Windows 2000-based DNS may well generate a political battle in your organization. But from the perspective of technical difficulty, the choice to migrate is relatively easy. Generally, you'd only need to migrate one server, then build secondary or slave servers to replicate zones from the primary server.

Just remember to evaluate the DNS options you're using today against the options that Windows 2000's DNS server offers, making sure that you're not taking a step back on any functionality if you migrate. If you do migrate your DNS to Windows 2000, you'll find a few options such as AD-integrated zones that are unique to Windows 2000's implementation.

In my next column, I'll delve into the specifics of using a Unix-based DNS system to support Windows 2000 and AD.

Windows on the Enterprise is a biweekly column that focuses on Windows 2000 technologies, and deployment and support strategies for enterprise environments.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon