NIST's guidance for a Zero Trust Architecture

Active Directory Fundamentals

DNS and Active Directory

What is AD DNS?

Domain Name System (DNS) is a name resolution method that is used to resolve hostnames to IP addresses. It is used on TCP/IP networks and across the internet. DNS is a namespace. Active Directory is built on DNS. DNS namespace is used internet-wide while the Active Directory namespace is used across a private network. The reason behind the choice of DNS is that it is highly scalable and it is an internet standard.

In the case of Active Directory, DNS maintains a database of services that are running on that network. The list of services running is maintained in the form of service records (SRV). Service records allow a client in an active directory environment to locate any service it needs such as a printer. These SRV records are used to identify the domain controllers also.

A single DNS server cannot help in resolving a resource record. Several DNS servers are used in the process. Each DNS server queries its own database to find an address corresponding to a  record. If the requested information is not available, then it forwards the query to another DNS server. For example, a name resolution may first query an Internet root server, then the first–level domain server, and then the second–level domain server, and so on to resolve the name to its associated address.

Every time the computer’s IP address changes, making manual entries into the DNS database is time-consuming and might result in some entries being left out. Hence Dynamic DNS is required to make these updates automatic. Any newly installed server can also automatically register its IP address and SRV records with the DNS server. Active Directory supports such Dynamic updates to be made.

AD depends on DNS for name resolution and locating resources on a network. DNS has a database that maintains resource records, which helps identify various servers, domains, and services on the network. Some of the common types of DNS resource records are:

Record TypeExamplePurpose
Aabc.com. IN A 172.9.54.11Maps a host name to an IPv4 address
CNAMEcba.com. IN CNAME abc.com.Makes one domain an alias of another domain
PTR11.54.9.172.in-addr.arpa. IN PTR abc.com.Maps an IPv4 address to a  host name
MX*.ab.bc.com. 14400 IN MX 0 ms1.ab.bc.com.Identifies the mail server for a particular domain
SRV_http._tcp.abc.com. IN SRV 0 5 80 ws1.abc.com.Maps a service to a particular server

A DC registers an AD DNS entry at boot time with an A record. The DC also registers AD DNS Service (SRV) records which help in mapping services like Kerberos and LDAP to itself. When a client computer joins a network, it locates the DC by asking a query to the DNS. The DNS then retrieves the SRV record from its database and provides the DC’s hostname to the client. The client further asks the DNS using this hostname to obtain the DC’s IP address. Thus, without the DNS, a client wouldn’t be able to authenticate into AD or find various services.

Active Directory DNS zones  

The DNS has a distributed database which means that information about all the domains, subdomains, and host mappings are not stored on just one DNS server but distributed across multiple servers. The management of the DNS database is made easy by dividing the DNS namespace into multiple zones and assigning the responsibility of a zone to a particular server. An AD DNS zone is a collection of hierarchical domain names with the root domain delegated to one or more name servers. A zone contains all the information about a domain except for the parts of the domain delegated to other name servers. The zone files begin with an AD DNS Start of Authority (SOA) resource record that indicates the primary name server for the zone.

Active Directory Domain Name System: The New Zone Wizard displaying the three types of zones and storage
The New Zone Wizard displaying the three types of zones and storage

For example, consider a company ABC that has a namespace abc.com delegated to the name server ns1.abc.com. All the domains under abc.com, be it sales, marketing, HR, finance, R&D, or administrators can be placed in one zone. However, there could be a scenario where the company’s sales and finance domains are administered in one country, say, the United States, and the R&D domain is administered in India. In order to simplify the management of the DNS database, the sales and finance subdomains can be placed in zone 1 and the responsibility could be given to a name server called us.abc.com, while the R&D subdomain can be placed in a separate zone 2, and its responsibility could be delegated to a name server called ind.abc.com.

Active Directory DNS delegation  

The names within a zone can be delegated to another zone maintained by a different server. Thus the responsibility of a subdomain can be passed on to a different name server which will handle requests for the resource records through a process called AD  DNS delegation. Delegation can be brought into effect with the help of NS and A resource records.

DNS plays a very important role in the smooth functioning of a network. In the event of DNS failure, it would be difficult to find the IP address of a host, and thereby difficult to access any service. DNS acts as a bidirectional translator between IP addresses and hostnames, thus making our network communications easy.


User authentication and user authorization process: An explanation

Active Directory Basics: Everything you need to know

Security Account Manager

Related posts
Active Directory Fundamentals

Active Directory Groups: An explanation

Active Directory Fundamentals

What is Azure Active Directory?

Active Directory Fundamentals

Active Directory Basics: Everything you need to know

Active Directory Fundamentals

Microsoft Hello

Leave a Reply

Your email address will not be published. Required fields are marked *