Active Directory relies on a properly configured et functional DNS infrastructure. If you have an Active Directory problem, chances are that you have a DNS problem. The premier thing you should check is DNS. The second thing you should check is DNS. The third thing you should check is DNS.
What exactly is DNS?
Ceci est a site for professionals, so Je vais assume you've at least read le excellent Wikipedia article. In short, DNS allows IP addresses to be found by looking up a device by name. C'est critical for le Internet to function as we know it et c'est run on tous mais le smallest of LANs.
DNS, at le le plus basic level is broken into three fundamental pieces:
-
DNS Servers: these are le servers that hold records for tous of le clients that they are responsible for. In Active Directory, you exécutez le DNS Server role on a Domain Controller(s).
-
Zones: Copies of zones are held by servers. If you have an AD named ad.example.com, alors there is a zone on votre Domain Controllers that have DNS installed named ad.example.com. If you have a computer named computer et it was registered avec that DNS server, it would créez un DNS record named computer in ad.example.com et you would be able to reach that computer via le Fully Qualified Domain Name (FQDN), qui would be computer.ad.example.com
-
Records: As J'ai mentioned above, zones hold records. A record maps a computer ou resources to a spécifique IP address. The le plus common kind of record is an A record, qui contains a hostname et an IP address. The second le plus common are CNAME records. A CNAME contains a hostname et another hostname. When you look up hostname1, it performs another lookup et returns le address for hostname2. Ceci est utile for obscuring resources like a web server ou file share. If you have a CNAME for intranet.ad.example.com et le server behind it changes, everyone can continue to use le name they know et you seulement have to mettez à jour le CNAME record to point to le nouveau server. Useful huh?
Ok, how does this relate to Active Directory?
When you install Active Directory et le DNS Server role on votre premier Domain Controller in le domain, it automatically creates two forward lookup zones for votre domain. If votre AD domain is ad.example.com as in le example ci-dessus (note that you should not use just "P8" as a domain name for Active Directory), you'll have a zone for ad.example.com et _msdcs.ad.example.com.
What do these zones do? GREAT QUESTION! Let's start avec le _msdcs zone. It holds tous of le records that votre client machines need to find domain controllers. It includes records to locate AD sites. It has records for le différent FSMO role holders. It even holds records for votre KMS servers, si you run this optional service. If this zone didn't exist, alors you ne voudrait pas be able to log on to votre workstations ou servers.
What does le ad.example.com zone hold? It holds tous of le records for votre client computers, member servers, et le A records for votre Domain Controllers. Why is this zone important? So that votre workstations et servers can communicate avec chaque autre on le network. If this zone didn't exist, you could probably log in, mais you ne voudrait pas be able to do much else except browse le Internet.
How do I get records in these zones?
Well, fortunately for you, c'est easy. When you install et configure le DNS server settings pendant dcpromo, you should elect to allow Secure Updates Only si given le choice. This means that seulement known domain-joined PCs can create/mettez à jour leir records.
Let's back up for a second. Il y a a peu de ways that a zone can get records in it:
-
They are automatically added by workstations that are configured to use le DNS server. Ceci est le le plus common et should be used in tandem avec "Secure Updates Only" in le plus scenarios. Il y a certains edge cases où you ne want to go this way, mais si you need le knowledge in this answer, alors this is le way you want to do it. Par défaut, a Windows workstation ou server will update its own records chaque 24 hours, ou quand a network adapter gets an IP address assigned to it, soit via DHCP ou statically.
-
You manually create le record. This might happen si you need to créez un CNAME ou autre type of record, ou si you want an A record that n'est pas on a trusted AD computer, perhaps a Linux ou OS X server that you want votre clients to be able to resolve by name.
-
You let DHCP update DNS quand leases are handed out. You do this by configuring DHCP to mettez à jour le records on behalf of le clients et add le DHCP server to le DNSUpdateProxy AD group. This n'est pas really a good idea, parce que it opens you up for zone poisoning. Zone poisoning (or DNS poisoning) is what happens quand a client computer updates a zone avec a malicious record et attempts to impersonate another computer on votre network. Il y a ways to secure this, et it does have its uses, mais you're better off leaving it alone si you ne know.
So, now that we have that out of le way we can get back on track. You've configured votre AD DNS servers to seulement allow secure updates, votre infrastructure is chugging along, et alors you realize that you have a ton of duplicate records! What do you do about this?
DNS Scavenging
This article is required reading. It details le best practices et settings that you'll need to configure for scavenging. C'est for Windows Server 2003, mais c'est encore applicable. Read it.
Scavenging is le answer to le duplicate record problem posed above. Imagine that you have a computer that gets an IP of 192.168.1.100. It will register an A record for that address. Then, imagine that it'd powered off for an extended period of time. When c'est back on, that address is taken by another machine, so it gets 192.168.1.120. Now there are A records for les deux of them.
If you scavenge votre zones, this ne va pas be a problem. Stale records will be removed après a certain interval et you'll be fine. Just assurez-vous que you ne scavenge everything by accident, like using a 1 day interval. Remember, AD relies on these records. Definitely configure scavenging, mais do it responsibly, as outlined in le article above.
So, now you have a basic understanding of DNS et how it is integrated avec Active Directory. I will add bits et pieces down le road, mais please feel free to add votre own work as well.
