-- Main.ctucker - 28 Oct 2005

CSCF Directory Services DNS Configuration

CSCF manages four general use DNS servers for the School of Computer Science (SCS), dc-dns-1, dc-dns-2, mc-dns-1 and mc-dns-2. All four servers are slaves to (contain copies of) the university DNS servers managed by IST through a system called InfoBlox. For name services, nearly all (most pre-existing and all new) computers in SCS are clients of the SCS DNS servers and not IST. See Networking#Host_naming_and_DNS_updates and especially https://cs.uwaterloo.ca/cscf/internal/edocs/Documentation/DNS-implementation-guide/DNS-structure.pdf for more information.

But the SCS DNS servers are also slaves to three additional DNS servers created for CSCF's Microsoft Active Directory (AD) based Directory Services (DS). CSCF maintains three DNS servers which supply an independent naming space strictly for Directory Services operations. All domain controllers within our Directory Services use these three DNS servers for their primary and secondary and additional name services. Our domain controllers do not directly consult the SCS DNS servers or the IST managed DNS servers. No other SCS systems should be clients of the Directory Services DNS servers. The Directory Services DNS servers forward SRV zone information to the SCS DNS servers.

The Directory Services DNS servers are maintained on existing forest domain controllers listed below.

  • puella.cscf.uwaterloo.ca (in CSCF domain)
  • vulgatum.cs.uwaterloo.ca (in CS-GENERAL domain)
  • aenea.student.cs.uwaterloo.ca (in CS-TEACHING domain)

All three servers are configured to accept dynamic DNS updates. They are protected by the fact that they, as with all CSCF forest domain controllers, are networked onto the SCS private intranet and not accessible from most campus locations or the internet.

The DNS server software on our domain controllers is the resident Microsoft DNS Server which comes as an installable server role for all server installations. Utilize Server Manager in the Administrative Tools programme group to begin installation.

Why Do We Need A Separate DNS Space for Directory Services?

An Active Directory relies upon information stored in DNS to locate key servers and services - SRV records. This is a vast amount of information which requires a DNS service that can be updated dynamically for ease of domain growth and maintenance. Moving a Global Catalogue from one domain controller to another requires SRV records to be updated at the same time. Neither the UW (IST) DNS service nor the SCS DNS servers allow for dynamic updates.

In addition to the three domains CSCF has established for its Active Directory based Directory Services,

  • cscf.uwaterloo.ca (CSCF)
  • cs.uwaterloo.ca (CS-GENERAL)
    • student.cs.uwaterloo.ca (CS-TEACHING)

The Active Directory environment requires four additional subdomains beneath each of ours.

  • _msdcs (locate global catalogues, domain definitions, pdc emulators and domain controllers)
  • _sites (locate servers for specific sites)
  • _tcp (locate all domain controllers in a DNS zone)
  • _udp (kerberos v5 connectionless services)

This creates a DNS naming space structured as follows.

  • cscf.uwaterloo.ca - CSCF
    • _msdcs.cscf.uwaterloo.ca
    • _sites.cscf.uwaterloo.ca
    • _tcp.cscf.uwaterloo.ca
    • _udp.cscf.uwaterloo.ca
  • cs.uwaterloo.ca - CS-GENERAL
    • _msdcs.cs.uwaterloo.ca
    • _sites.cs.uwaterloo.ca
    • _tcp.cs.uwaterloo.ca
    • _udp.cs.uwaterloo.ca
    • student.cs.uwaterloo.ca - CS-TEACHING
      • _msdcs.student.cs.uwaterloo.ca
      • _sites.student.cs.uwaterloo.ca
      • _tcp.student.cs.uwaterloo.ca
      • _udp.student.cs.uwaterloo.ca

On top of these service subdomains, _msdcs and _sites have up to four additional sublevels beneath them. The actual structure of DNS in a generic Active Directory environment is very complex and would be difficult, time consuming and error prone to manage manually. But this complexity allows for very generic naming to be used to locate essential services within the Directory Service.

Require a list of all LDAP servers within the CS-TEACHING (student.cs.uwaterloo.ca) domain?

1>@cscf[59]% host -t SRV _ldap._tcp.student.cs.uwaterloo.ca
_ldap._tcp.student.cs.uwaterloo.ca has SRV record 0 100 389 artica.student.cs.uwaterloo.ca.
_ldap._tcp.student.cs.uwaterloo.ca has SRV record 0 100 389 aenea.student.cs.uwaterloo.ca.
_ldap._tcp.student.cs.uwaterloo.ca has SRV record 0 100 389 genei.student.cs.uwaterloo.ca.

Need to know which domain controllers are supporting Global Catalogues in the CSCF forest?

1>@cscf[60]% host -t SRV _gc._tcp.cscf.uwaterloo.ca
_gc._tcp.cscf.uwaterloo.ca has SRV record 0 100 3268 puella.cscf.uwaterloo.ca.
_gc._tcp.cscf.uwaterloo.ca has SRV record 0 100 3268 lestidae.cscf.uwaterloo.ca.
_gc._tcp.cscf.uwaterloo.ca has SRV record 0 100 3268 vulgatum.cs.uwaterloo.ca.
_gc._tcp.cscf.uwaterloo.ca has SRV record 0 100 3268 aenea.student.cs.uwaterloo.ca.
_gc._tcp.cscf.uwaterloo.ca has SRV record 0 100 3268 fusca.cs.uwaterloo.ca.
_gc._tcp.cscf.uwaterloo.ca has SRV record 0 100 3268 artica.student.cs.uwaterloo.ca.

Integration With School of Computer Science DNS Space

Only the Directory Service domain controllers are DNS clients of aenea, vugatum and puella. Every other system in SCS is (or at least should be) a DNS client of SCS's DNS servers, dc-dns-1 et al.. Microsoft added service subdomains are required in SCS's general DNS space if clients of the Directory Service are to be able to find services within the Directory Service for such activities as authentication. So how do clients of the Directory Service find services in the Active Directory if they do not consult the Active Directory DNS servers?

The answer is Zone Forwarding from the Directory Service DNS servers to the SCS DNS servers of the Microsoft added subdomains. Instead of a single Forward Lookup Zone, the Directory Service DNS space is broken into 16 Forward Lookup Zones to separate the top domains from the service domains.

  • cs.uwaterloo.ca
  • cscf.uwaterloo.ca
  • student.cs.uwaterloo.ca
  • _msdcs.cs.uwaterloo.ca
  • _msdcs.cscf.uwaterloo.ca
  • _msdcs.student.cs.uwaterloo.ca
  • _sites.cs.uwaterloo.ca
  • _sites.cscf.uwaterloo.ca
  • _sites.student.cs.uwaterloo.ca
  • _tcp.cs.uwaterloo.ca
  • _tcp.cscf.uwaterloo.ca
  • _tcp.student.cs.uwaterloo.ca
  • _udp.cs.uwaterloo.ca
  • _udp.cscf.uwaterloo.ca
  • _udp.student.cs.uwaterloo.ca

The 16 Forward Lookup Zones representing service subdomains are forwarded to dc-dns-1 et al. from any of aenea, vugatum or puella. IST repackaged the bind-9.2 and subsequent versions of bind to make it possible for local DNS administration to maintain private zones on top of the zones supported by IST.

  • _msdcs.cs.uwaterloo.ca
  • _msdcs.cscf.uwaterloo.ca
  • _msdcs.student.cs.uwaterloo.ca
  • _sites.cs.uwaterloo.ca
  • _sites.cscf.uwaterloo.ca
  • _sites.student.cs.uwaterloo.ca
  • _tcp.cs.uwaterloo.ca
  • _tcp.cscf.uwaterloo.ca
  • _tcp.student.cs.uwaterloo.ca
  • _udp.cs.uwaterloo.ca
  • _udp.cscf.uwaterloo.ca
  • _udp.student.cs.uwaterloo.ca

Because these zones now appear in SCS's DNS space; Windows, Macintosh and Ubuntu (Linux) systems can now authenticate against the our Directory Services

Edit | Attach | Watch | Print version | History: r10 < r9 < r8 < r7 < r6 | Backlinks | Raw View | WYSIWYG | More topic actions
Topic revision: r10 - 2014-10-15 - TrevorGrove
 
This site is powered by the TWiki collaboration platform Powered by PerlCopyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback