-- Main.ctucker - 28 Oct 2005
CSCF Directory Services DNS Configuration (THIS PAGE NEEDS UPDATING)
CSCF manages four general use DNS servers for the School of Computer Science (SCS),
dc-dns-1,
dc-dns-2,
mc-dns-1 and
mc-dns-2. All four servers are slaves to (contain copies of) the university DNS servers managed by IST through a system called InfoBlox. For name services, nearly all (most pre-existing and all new) computers in SCS are clients of the SCS DNS servers and not IST. See
Networking#Host_naming_and_DNS_updates and especially
https://cs.uwaterloo.ca/cscf/internal/edocs/Documentation/DNS-implementation-guide/DNS-structure.pdf for more information.
But the SCS DNS servers are
also slaves to three additional DNS servers created for CSCF's Microsoft Active Directory (AD) based Directory Services (DS). CSCF maintains three DNS servers which supply an independent naming space strictly for Directory Services operations. All domain controllers within our Directory Services use these three DNS servers for their primary and secondary and additional name services. Our domain controllers do not directly consult the SCS DNS servers or the IST managed DNS servers. No other SCS systems should be clients of the Directory Services DNS servers. The Directory Services DNS servers forward
SRV zone information to the SCS DNS servers.
The Directory Services DNS servers are maintained on existing forest domain controllers listed below.
- puella.cscf.uwaterloo.ca (in CSCF domain)
- vulgatum.cs.uwaterloo.ca (in CS-GENERAL domain)
- aenea.student.cs.uwaterloo.ca (in CS-TEACHING domain)
All three servers are configured to accept dynamic DNS updates. They are protected by the fact that they, as with all CSCF forest domain controllers, are networked onto the SCS private intranet and not accessible from most campus locations or the internet.
The DNS server software on our domain controllers is the resident Microsoft DNS Server which comes as an installable server role for all
server installations. Utilize
Server Manager in the
Administrative Tools programme group to begin installation.
Why Do We Need A Separate DNS Space for Directory Services?
An Active Directory relies upon information
stored in DNS to locate key servers and services -
SRV records. This is a vast
amount of information which requires a DNS service that can be
updated dynamically for ease of domain growth and maintenance. Moving a Global Catalogue from one domain controller to another requires SRV records to be updated at the same time. Neither the UW (IST) DNS service nor the SCS DNS servers allow for dynamic updates.
In addition to the three domains CSCF has established for its Active Directory based Directory Services,
- cscf.uwaterloo.ca (CSCF)
- cs.uwaterloo.ca (CS-GENERAL)
- student.cs.uwaterloo.ca (CS-TEACHING)
The Active Directory environment requires four additional subdomains beneath each of ours.
- _msdcs (locate global catalogues, domain definitions, pdc emulators and domain controllers)
- _sites (locate servers for specific sites)
- _tcp (locate all domain controllers in a DNS zone)
- _udp (kerberos v5 connectionless services)
This creates a DNS naming space structured as follows.
- cscf.uwaterloo.ca - CSCF
- _msdcs.cscf.uwaterloo.ca
- _sites.cscf.uwaterloo.ca
- _tcp.cscf.uwaterloo.ca
- _udp.cscf.uwaterloo.ca
- cs.uwaterloo.ca - CS-GENERAL
- _msdcs.cs.uwaterloo.ca
- _sites.cs.uwaterloo.ca
- _tcp.cs.uwaterloo.ca
- _udp.cs.uwaterloo.ca
- student.cs.uwaterloo.ca - CS-TEACHING
- _msdcs.student.cs.uwaterloo.ca
- _sites.student.cs.uwaterloo.ca
- _tcp.student.cs.uwaterloo.ca
- _udp.student.cs.uwaterloo.ca
On top of these service subdomains,
_msdcs and
_sites have up to four additional
sublevels beneath them. The actual structure of DNS in a generic Active Directory environment
is very complex and would be difficult, time consuming and error prone to manage manually. But
this complexity allows for very generic naming to be used to locate
essential services within the Directory Service.
Require a list of all LDAP servers within the CS-TEACHING (
student.cs.uwaterloo.ca) domain?
1>@cscf[59]% host -t SRV _ldap._tcp.student.cs.uwaterloo.ca
_ldap._tcp.student.cs.uwaterloo.ca has SRV record 0 100 389 artica.student.cs.uwaterloo.ca.
_ldap._tcp.student.cs.uwaterloo.ca has SRV record 0 100 389 aenea.student.cs.uwaterloo.ca.
_ldap._tcp.student.cs.uwaterloo.ca has SRV record 0 100 389 genei.student.cs.uwaterloo.ca.
Need to know which domain controllers are supporting Global Catalogues in the CSCF forest?
1>@cscf[60]% host -t SRV _gc._tcp.cscf.uwaterloo.ca
_gc._tcp.cscf.uwaterloo.ca has SRV record 0 100 3268 puella.cscf.uwaterloo.ca.
_gc._tcp.cscf.uwaterloo.ca has SRV record 0 100 3268 lestidae.cscf.uwaterloo.ca.
_gc._tcp.cscf.uwaterloo.ca has SRV record 0 100 3268 vulgatum.cs.uwaterloo.ca.
_gc._tcp.cscf.uwaterloo.ca has SRV record 0 100 3268 aenea.student.cs.uwaterloo.ca.
_gc._tcp.cscf.uwaterloo.ca has SRV record 0 100 3268 fusca.cs.uwaterloo.ca.
_gc._tcp.cscf.uwaterloo.ca has SRV record 0 100 3268 artica.student.cs.uwaterloo.ca.
Integration With School of Computer Science DNS Space
Only the Directory Service domain controllers are DNS clients of
aenea,
vugatum and
puella. Every other
system in SCS is (or at least should be) a DNS client of SCS's DNS servers,
dc-dns-1 et al.. Microsoft added service subdomains are
required in SCS's general DNS space if clients of the Directory Service are to be able to find
services within the Directory Service for such activities as authentication.
So how do clients of the Directory Service find services
in the Active Directory if they do not consult the Active Directory DNS servers?
The answer is Zone Forwarding from the Directory Service DNS servers to the SCS DNS servers of the
Microsoft added subdomains. Instead of a single Forward Lookup Zone, the Directory Service DNS space is broken into 16 Forward Lookup Zones to separate the top domains from the service domains.
- cs.uwaterloo.ca
- cscf.uwaterloo.ca
- student.cs.uwaterloo.ca
- _msdcs.cs.uwaterloo.ca
- _msdcs.cscf.uwaterloo.ca
- _msdcs.student.cs.uwaterloo.ca
- _sites.cs.uwaterloo.ca
- _sites.cscf.uwaterloo.ca
- _sites.student.cs.uwaterloo.ca
- _tcp.cs.uwaterloo.ca
- _tcp.cscf.uwaterloo.ca
- _tcp.student.cs.uwaterloo.ca
- _udp.cs.uwaterloo.ca
- _udp.cscf.uwaterloo.ca
- _udp.student.cs.uwaterloo.ca
The 16 Forward Lookup Zones representing service subdomains are forwarded to
dc-dns-1 et al.
from any of
aenea,
vugatum or
puella.
IST repackaged the
bind-9.2 and subsequent versions of
bind to make it possible for local DNS administration to maintain private
zones on top of the zones supported by IST.
- _msdcs.cs.uwaterloo.ca
- _msdcs.cscf.uwaterloo.ca
- _msdcs.student.cs.uwaterloo.ca
- _sites.cs.uwaterloo.ca
- _sites.cscf.uwaterloo.ca
- _sites.student.cs.uwaterloo.ca
- _tcp.cs.uwaterloo.ca
- _tcp.cscf.uwaterloo.ca
- _tcp.student.cs.uwaterloo.ca
- _udp.cs.uwaterloo.ca
- _udp.cscf.uwaterloo.ca
- _udp.student.cs.uwaterloo.ca
Because these zones now appear in SCS's DNS space; Windows, Macintosh and Ubuntu (Linux) systems can now authenticate against the our Directory Services