Mythbusting Active Directory DNS

BY Ben Ball

Active Directory uses DNS records for service discovery, steering clients to domain controllers for the various services and sites that make up an AD installation. It typically uses dynamic DNS updates to keep this data up to date.  When we start talking to administrators about implementing our core DDI solutions, we often get a lot of questions about the impact on Active Directory.

What are the DNS requirements for Active Directory?

It’s a common misperception that Active Directory requires Windows DNS servers to function properly.  That’s simply not the case.  Active Directory is completely agnostic as to which DNS server it works with.  As long as the DNS solution is designed and configured to support interoperability with Active Directory, the two will work together.

Why BlueCat DNS is a better choice for Active Directory

There are clear disadvantages to using Active Directory with a decentralized Microsoft DNS infrastructure. 

Environments with a large number of Active Directory domains come with many complexities, and with complexity comes limitations.  Some configuration is done centrally (stored in Global Catalog), some is not (stored locally). This partial decentralization leads to mistakes and confusion.  AD lacks a centralized view of the DNS namespace across domains and forests. This leads to a web of conditional forwarding rather than a clean separation between recursion and authority. These are just a few examples of the limitations administrators will encounter on large networks.

BlueCat DNS offers clear benefits over decentralized Microsoft DNS while allowing for the  interoperability with Active Directory administrators are used to.  If you’re looking for AD integrated DNS, look no further.  BlueCat easily integrates into the Active Directory environment to support existing Microsoft deployments instead of Windows for DNS.

Administrators can create Active Directory zones in BlueCat Address Manager, enabling dynamically updated resource records. Once complete, the configuration is deployed and Active Directory servers can be configured to use a BlueCat DNS/DHCP Server.

For advanced users, BlueCat supports the option for secure DNS updates from Active Directory clients using GSS-TSIG, Microsoft’s own security protocol for DNS messages. This includes granular permissions which permit clients to update specific names and explicit controls on which record types those clients can update.

Needless to say, BlueCat also adds significant technical and security capabilities that go far beyond Active Directory.  Our DDI platform does far more than Microsoft DNS – you can learn more in our eBook on the “Cost of Free”.

How to switch from Microsoft DNS to BlueCat in Active Directory

It only takes two simple steps to set up Active Directory to work with BlueCat DNS once it is configured with the appropriate DNS zones and permissions to support an Active Directory domain.

Step one:  Change the DNS settings in Active Directory

Here’s the relevant set-up screen.  Active Directory usually defaults to the IP services which already exist on the servers.  All you have to do is select a different DNS service by entering one or more DNS server addresses.

Step two:  Migrate existing records

Once you’ve selected BlueCat as your DNS of choice for Active Directory, you can migrate over the records and settings which already exist in the system to make sure they receive dynamic updates.  (This will happen automatically based on your system settings, but many of our customers want to make the shift all in one go.)

There is a command line involved, but the effort is trivial.  You start by running the IP config /registerdns command to register the A record for the server name.  Here’s what it looks like.

Drilling a bit deeper into the process, here’s what’s happening behind the scenes as the records are automatically updated by the system in the background.

Step Three:  Recreate Active Directory supporting records

Then you'll have to recreate the Active Directory supporting records.  There are a few options here:

  1. Use the command line to register host DNS records and stop/start netlogon
  2. Restart the NetLogon service from the services administrative tool
  3. Import the DNS zones into BlueCat Address Manager using the XML import format

If option 3 is not used, the BlueCat version of the zone will be incomplete until all domain controllers have been moved over.

Some customers prefer to have the BlueCat Professional Services team assist with the migration effort. Our standard approach works this way:

  1. Import the DNS zones into BlueCat Address Manager using the XML import format, and validate the result
  2. Reconfigure DHCP option 6 to direct dynamic clients to the BlueCat DNS servers
  3. Configure global forwarding to BlueCat on all Microsoft DNS servers
  4. Remove the migrated zones from Microsoft DNS - this should allow global forwarding, which causes the records to resolve from the BlueCat DNS servers

This process allows statically-configured DNS clients to be reconfigured to use BlueCat over time, rather than requiring all such devices to be updated during a single maintenance window. If this procedure is executed correctly, there should be no downtime.

Learn more about BlueCat's approach to core DDI and migration services.

Ben Ball

Ben Ball is a Government Market Manager at BlueCat, handling business development and marketing outreach in the Federal, State, and local government markets. Ben served for ten years as a Federal employee, with three tours as a Foreign Service Officer (Saudi Arabia, Turkey, Jordan), and five years at the Department of Homeland Security, where he focused on immigration issues. A graduate of the Fletcher School of Law and Diplomacy and Pitzer College, Ben lives in the San Francisco Bay Area.

View more articles by Ben Ball