Computing at Cornell

These pages are currently being updated. New versions will be available soon.

The Domain Name Server (DNS) implementation under Windows 2000/2003 has a number of changes from legacy DNS servers. The most notable of these changes is the ability to dynamically register DNS records for objects and services in an Active Directory domain. This web page, intended for Cornell departmental information technology managers, provides information and guidelines for integrating the Windows 2000/2003 AD domains with Cornell's DNS servers and still support Dynamic DNS capability needed for AD to function properly.

CIT has provided support in the past to allow departmental Windows 2000 domain controllers to send dynamic updates to Cornell's DNS servers. However, as of June 1, 2004, CIT will no longer support Dynamic DNS updates. Data from dynamic updates is recorded in DNSDB, which will be used for the Network Registry. However, information from dynamic updates does not contain all the required data to comply with the Network Registry. Any Active Directory Domain Controllers that are configured to use CIT's DNS servers need to be reconfigured to use a local DNS server. The conversion can be done anytime over the next six months (June-December 2004). The process is fairly simple but needs some coordination with Cornell Hostmaster. Please contact the Hostmaster at hostmaster@cornell.edu to notify them that you will be making this change and to coordinate this process.

Under the new setup, the System Admin has to run local DNS server(s) under Windows for their domain. This local DNS server should be configured as the authoritative server for the domain and the Windows Domain Controllers will use this for dynamic updates. The CIT DNS servers will still be the primary server for the domain and will delegate the _MSDCS, _SITES, _TCP and _UDP zones to the Windows DNS server. Therefore, all clients should use CIT's DNS server for their name resolutions. CIT will not delegate out the whole windows domain since all hosts need to be registered in DNSDB (aka Network Registry).

Configuring DNS for Active Directory Domains

  1. Install and configure DNS service on at least one Windows Domain Controller. For specifics on configuring DNS service, see the section titled Configuring DNS server on a Windows Domain Controller below.

    Note: If you don't already have Active Directory running on the server, during the AD install process via DCPromo, select 'No, I will install and configure DNS myself'.

  2. Reconfigure the preferred DNS server IP address on the domain controllers to point to the local DNS server's IP address. If you have a secondary DNS server in your domain, use the IP address of that server for the Alternate DNS server. Click the Advanced button and select to the DNS tab and check the box for "Register this connection's addresses in DNS". It should be checked on.

  3. On each domain controller, restart the Net Logon service from Administrative Tools --> Services. Then open a command prompt (cmd.exe) and execute this command: ipconfig /registerdns. These steps will register DNS records to the local DNS server.

  4. From the Administrative Tools, select DNS. Expand the DNS server's Forward Lookup Zones folder and check for presence of records under your domain. You should see _MSDCS, _SITES, _TCP and _UDP folders and SRV records under these folders.

  5. Once these records show up under the local DNS server, go to http://dnsdb.cit.cornell.edu/dnsdb-cgi/domain.pl, select your domain and assign your DNS server(s) for your SRV record zones. Your DNS server(s) should be added in the section titled "Windows DNS Servers for SRV records for .cornell.edu". In this example, the Windows Server running DNS service is named flamenco.mydomain.cornell.edu.

  6. Configure all the other machines in your domain (non-domain controllers such as desktops, laptops, other network devices) to use CIT's DNS servers: 132.236.56.250, 128.253.180.2, 192.35.82.50 etc.

Configuring DNS services on a Windows Domain Controller:

Windows 2000 Server:

  1. Install Domain Name System (DNS) under Networking Services from Add/Remove Windows Components under Add/Remove Programs in the Control Panel.

  2. Select DNS from Administrative Tools. Right click on the server name and choose 'Configure the Server'. Click Next.

  3. If you are asked, select 'This is the first DNS server on this network'. Click Next.

  4. Select 'Yes, create a forward lookup zone' and click Next.

  5. Select 'Standard Primary' and click Next. Optionally, you can choose Active Directory Integrated.

  6. Type the DNS suffix for your domain. In this example, it's 'mydomain.cornell.edu'

  7. For the zone file, select the default name, in this example, mydomain.cornell.edu.dns. Click Next.

  8. For Reverse lookup zone, select 'No, do not create a reserve lookup zone'. Press Next and then the Finish button.

  9. Select DNS from Administrative Tools, expand server name, Forward Lookup Zone folder and right click on your domain name. Select Properties. Change 'Allow Dynamic Update' to Yes. Click Ok to save changes.

Windows Server 2003:

  1. Install Domain Name System (DNS) under Networking Services from Add/Remove Windows Components under Add/Remove Programs in the Control Panel.

  2. Select DNS from Administrative Tools. Right click on the server name and choose 'Configure the Server'. Click Next.

  3. Right click on server name, and select 'Configure a DNS server'. Create next at the wizard.

  4. At the next screen, select 'Create a forward lookup zone'. Click Next.

  5. Choose 'This server maintains the zone', and click Next.

  6. Type in the name of your zone at the next screen, for example, mydomain.cornell.edu.

  7. Select 'Allow both non-secure and secure dynamic updates'. Press Next.

  8. On the Forwarders page, select 'No, it should not forward queries.'

  9. Click Finish.

Disabling Dynamic Updates on non-domain controllers:

For machines that do not need to send dynamic updates, such as a stand-alone server that is not a Domain Controller, a web server, or a Windows 2000 Professional machine, it might be desirable to turn off these automatic DNS updates. To disable the automatic DNS updates, on your Windows 2000 machine:

  1. Go to the TCP/IP properties in Network Control Panel.

  2. Click on the Advanced button and then select the DNS tab.

  3. At the bottom of the page, clear the checkbox labeled Register this connection's address in DNS.

This will also prevent unnecessary error messages from getting logged in Event Viewer on those machines that do not have their IP addresses registered for dynamic update.

Note: You must NOT have this disabled on your domain controllers.



Windows 2000 at Cornell | Dynamic DNS | Kerberos

Computing at Cornell Homepage CUinfo CIT Contact List Send Us Feedback

Last updated: May 25, 2007