DNS GlobalNames

Previous Networking
The first Microsoft networks used a peer to peer style system. Each computer had a computer name that was based on the NetBios standard and in the case of Microsoft networks this was limited to 15 characters. Networks had to be directly connected to each other as NetBios was not routable. However, later on, the ability to route network traffic was added to NetBios networks. This meant that on a NetBios network there could not be two computers with the same name. In order to achieve this, DNS had to be used rather than NetBios in which you could have two computers with the same name as long as the fully qualified domain name was different. For example, you could have fileserver.itfreetraining.com and fileserver.backup.itfreetraining.com on the same network as the full qualified domain names are different; however, notice that first part of the name is the same. This was not possible with NetBios.

From a user prospective, they want to be able to type in a short simple name to access a server. For example enter in NYDC1 rather than NYDC1.ITFreeTraining.local. To allow this to happen automatically Windows adds a DNS suffix to the name. This makes it simple for the user, however means that the DNS suffixes that Windows will used need to be configured on the computer. Global Name essentially allows a short simple name to be used without the need for a DNS suffix to be configured on the computer. This is the biggest noticeable missing feature from old NetBios system. In the old network NetBios system, all names were short names and thus were easy for the user to use. With DNS short names cannot be used like this and DNS requires the whole fully qualified domain name to be either entered in or Windows to automatically add a DNS suffix to the short name. So what is a global name? A global name is a short name that is compatible with DNS that allows the user to enter in a short name rather than a long name and does not require a DNS suffixes to be added by Windows to the name. This gives the user the most missed feature of NetBios networking while still being able to use DNS so, effectively, gives them the best of both worlds, that is being able to use a simple name referred to as a single label name in order to access resources on the network.

DNS Suffixes
A DNS suffix is the last part of the domain, for example ITFreeTraining.com, HighCostTraining.com or example.com. If these 3 DNS suffixes were configure on a computer and you attempted to ping the address fs1 the following would occur. FS1.ITFreeTraining.com would be tried for a match. If no match was found, FS1.HighCostTraining.com would be tried, if there was no match here then FS1.example.com would be tried. If no match was found here the computer would report that the address was not resolvable. Notice that it means that 3 DNS addresses have to be checked with the DNS server to see if any of these are resolvable. If you have a large network with a lot of suffixes this means more addresses will need to be tried before the address is returned as not resolvable. If you want an address to be resolvable by all computers in the forest for a single label name, for example you want to create an address called intranet, this could be created and accessible to all computers in the forest without the need to configure a single DNS suffix on any computer in the forest.

WINS
Windows Internet Name Service (WINS) was used in the old days to perform name resolution. It is a system that allows computers to resolve network bios names. Effectively it is DNS for Netbios names. Since it allows clients to resolve computer names using a single label name it a nice feature to have on a network and thus some modern networks still use Wins. Wins does support dynamic update, however does not support new features like IPv6. For this reason, Wins is a feature that is being retired however some old networks use it for the ability to look up single label names easily. GlobalNames provides a modern replacement for Wins and through its use, the administrator should be able to remove Wins from their network.

GlobalNames Zone
A GlobalNames zone is a zone that is replicated forest wide. Dynamic updates for this zone are disabled for security reasons. Being able to dynamic add a DNS record to this zone would affect all computers on the network. This helps prevent an attacker or an end user from putting their own DNS record in the zone. If a record was added to the zone, in a large forest this would be replicated to every Domain Controller and resolvable by every client on the network. Not recommended on large networks. For this reason, the zone contains C name records or alias are used for the single label name. C Names are used so if the A Record it refers to changes, the name resolution automatically changes. This helps keep the information up to date but does not comprise security in the process. Since GlobalNames uses DNS, IPv6 is supported which is a short fall of WINS and thus offers a modern day replacement of WINS.

In order to use GlobalNames the following needs to be done.

1) On every DNS server that will be used, the following command needs to be run. DNSCMD /Config /EnableGlobalNameSupport 1

2) A new Active Directory integrated zone called GlobalNames needs to be created that will be replicated forest wide.

3) The new zone GlobalNames needs to have dynamic updates disabled.

Demonstration
This demonstration will be done on Windows 8 with “Remote Server Administration Tools” installed.

1) To open a command prompt, press the Windows key and then press X. When the menu appears, select the option from the menu command prompt.

2) The single label name that will be used in this example is intranet. When “ping intranet” is run from the command prompt the command will be returned with a message stating “Ping request could not find host intranet. Please check the name and try again.”

3) Each DNS server that will be used to resolve Global Names on needs to have a configuration changed performed on them otherwise they will not be able to resolve any single label names. This command needs to run for each DNS server, however as shown in the demonstration this command can be run from remote. The command run in this case will configure the setting on the server NYDC1 which is also a domain controller. “DNSCMD NYDC1 / Config /EnableGlobalNameSupport 1”. The DNS server service will need to be restarted in order for this configuration change to take effect.

4) The DNS zone needs to be created that will hold the single Label Names. This can be done using the DNS manager. This can be opened by running Server Manager, selecting tools and then selecting DNS from the list. If this does not work, you can also run DNS from Administrative Tools found under the start menu.

5) To create a new zone, expand down to Forward Lookup Zones, right click in and select the option new zone from the menu. When creating the zone, ensure that primary zone is selected and also the tick box “Store the zone in Active Directory (Available only if DNS server is writeable domain controller”). For replication, the option “To all DNS server running on domain controllers in this forest” is selected. The name of the zone needs to be GlobalNames. This is a special name that DNS server will recognize as containing the single label names. For dynamic updates, make sure the option “Do not allow dynamic updates” is selected. This helps protect the zone file from being misused. Since it is available to all computers in the forest, it is important to make sure it is secure.

6) To create a new single label name, right click on the Globalnames zone and select the option “New Alias (CNAME)” from the list. CNames are the only DNS records that should be used in this zone. If the DNS record’s IP Address were to change, that change would result in the CName also changing. This means even though dynamic updates are not available in this zone, the zone that the CName is pointing to can have dynamic updates enabled. This means that changes to the DNS record can happen indirectly like this even though the GlobalNames zone dynamic updates are disabled.

7) In this example, the CName will be given the alias of intranet and be pointed to the A record for srv1.ITFreeTraining.local. This means that whenever intranet is resolved the IP Address of srv1.ITFreeTraining.local will be returned.

8) When attempting to ping intranet again after the change has been made this will fail as the DNS server has not be restarted. All configuration changes performed on the DNS require the DNS server to be restarted. This can be done by right clicking the DNS server name in the DNS manager, selecting all tasks and then selecting the option restart. After the DNS server has been restarted, the DNS server should now be able to resolve DNS single label names.

References
“Deploying a GlobalNames Zone” http://technet.microsoft.com/en-us/library/cc731744.aspx
“Add a GlobalNames Zone Service Location (SRV) Resource Record to a Forest” http://technet.microsoft.com/en-us/library/cc794952(v=WS.10).aspx
“NetBIOS” https://en.wikipedia.org/wiki/NetBIOS
“Windows Internet Name Service” http://en.wikipedia.org/wiki/Windows_Internet_Name_Service

Credits