Windows Server 2008 - DNS enhancement nuggets

David Tesar — Fri, 25 Apr 2008 20:00:00 GMT

There are a number of enhancements to DNS in Windows Server 2008. There are already some lengthy articles on the features, so in this post I hope to give a quick “why you care” on each of the features and some nuggets of wisdom / insight. Here we go…

DNS on Server Core: I see this as a very useful scenario for most people who use DNS in conjunction with RODC in branch offices using the new primary read-only zone. You get all of the server core benefits such as improvements in performance, less patching, security, etc, and it can have all of the same core functionality as a regular DNS server. The easiest way to manage is remotely using the DNS MMC.

Background Zone Loading: Companies who have a large number of records in AD-integrated zones might have to wait 1+ hours to have DNS respond to queries after restarting. Now, DNS spawns off multiple threads to be able to respond to client queries right away. If the record in the zone hasn’t been loaded into memory yet and it is still in the process of loading the entire zone, it will query the node in AD, cache it in the zone, and return a response to the client.

IPv6 Support: Microsoft supports IPv6 in Server 2003, but it was a bit of a management pain and there were some other limitations. See Joseph Landies Cable guy article for the management/integration improvements made in WS08. Also, some other improvements:

· DNS servers can now send recursive queries to IPv6-only servers
· The server forwarder list can contain both IPv4 and IPv6 addresses
· DHCP clients can also register IPv6 addresses in addition to (or instead of) IPv4 addresses.
· DNS servers now support the ip6.arpa domain namespace for reverse mapping.

Make sure your critical apps are cool with receiving a response for an IPv4 address and an IPv6 address. I haven’t personally seen any app problems, but nonetheless, worth mentioning.

Primary read-only zone: This new zone type is also referred to as a “branch office zone” which is available on RODCs running DNS. The zone will make a read-only copy of all of the AD-integrated zones locally from a full DC. The easiest way to think about it is as a read-only secondary zone, but better due to the benefits of AD-integration (i.e. security, management, and you can easily replicate multiple zones).

Global Names Zone: This allows you to resolve single-label names in DNS as an aid to get rid of WINS. If you still need computer browsing, you have apps hard-coded to only use NetBIOS name resolution, or have really old clients & NT4 – sorry, you probably still need WINS. However, if you just need the single-label name support for things like custom-named internal websites or servers throughout your entire environment – this is the solution. There are quite a few things to consider with this, so I recommend reading the whitepaper listed below. A couple quick key limitations are a) this functionality only works with WS08 DNS servers and b) it also doesn’t support dynamic updates.

DNS Client changes: For Vista clients or WS08 servers, the DNS client has a few good changes:
· Periodic check to make sure the client is authenticating with a local DC (configurable via group policy). Previously, a client would only fail back to the closer DC when forced.
· Locate the nearest domain controller using the defined Active Directory sitelink costs instead of searching randomly. This is disabled by default, but good to enable when you have clients across slow site-links.
· Use link-local multicast name resolution (LLMNR), also known as multicast DNS or mDNS, to resolve names on a local network segment when a DNS server is not available.

Get Started
Windows Server 2008 & Domain Name Service: What's New (WS08 Blog by Kurt Roggen)
Changes in Functionality from Windows Server 2003 with SP1 to Windows Server 2008 (http) (doc version)
The Cable Guy DNS Enhancements in Windows Server 2008 (by Joseph Davies)
What's New in DNS in Windows Server 2008 (very short blurb on TechNet)
DNS Server GlobalNames Zone Deployment Whitepaper

Note: this can also be found on TechNet Edge here.

Forefront Stirling – Public Beta Overview

David Tesar — Thu, 17 Apr 2008 09:59:00 GMT

With the launch of the 1^st public beta for Forefront Stirling on April 8^th, I thought it would be relevant to do a post this week on it. This release proves that the Stirling vision scenario in my previous blog article is becoming a reality. “Stirling” seems to be thrown around quite a bit and can be misunderstood, so let me 1^st clarify. Codename Stirling refers to the next wave of all Forefront products, scheduled to hit RTM in the 1^st half of 2009. This wave includes the “next version” of:

· Forefront Client Security (FCS)
· Forefront Security for Exchange Server (FSES),
· Forefront Security for SharePoint (FSS)
· ISA Server – new name Forefront Threat Management Gateway (TMG).

Additionally, this wave includes a server and single management console to interact with all of the above, commonly referred to as the “Stirling” server and “Stirling” management console. The console and server can be run on the same or separate machines. Down the road, we’ll have an official name to replace “Stirling” and “next version of”.

Ok, so what is some cool stuff to check out with the public beta?

· Dynamic response capabilities – see how the forefront products share information and interact with each other.
· Single management console and reporting for the entire technology suite except FSS - get a security state assessment for all of the connected machines & specify how you want to remediate through forefront policy.
· Integration with NAP – use NAP to remediate your machines
· Integrated malware and anti-virus protection – check out how it downloads & pushes out the updates
· Use powershell to manage it – by default Stirling uses powershell behind the scenes, but you can do it yourself if you feel inclined.

What are some things you can NOT you do yet?

· Install a topology which has more than one Stirling server
· Install the Stirling server, console, or next version of FCS on Windows Server 2008
· Install Terminal Services or a DC on the Stirling server
· Install non-English versions

Get started

Download the Stirling beta here.
The most helpful pre-requisite page to install everything here.
Stirling homepage
TechNet technical documentation for deployment, operations, etc.
Stirling blog
Forefront team blog

Note: this post can also be found on TechNet Edge here.

eXtreme. tech. : Feature of the Week

Windows Server 2008 - DNS enhancement nuggets

Forefront Stirling – Public Beta Overview