I am on the DNS section of my notes from the AD WorkshopPLUS I attended a few months back. That’s why the recent posts are about DNS …
The SOA (Start of Authority) record is something DNS administrators are familiar with. It specifies details about the zone such as the serial number (which can be used by secondary name servers to know the zone has changed), the preferred refresh periods for secondary name servers to sync the zone, the time between retries, whom to contact, the primary name server, and so on. Here’s the SOA record for my rakhesh.com domain:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
D:\>nslookup -type=soa rakhesh.com ns-151.awsdns-18.com Server: UnKnown Address: 205.251.192.151 rakhesh.com primary name server = ns-1475.awsdns-56.org responsible mail addr = awsdns-hostmaster.amazon.com serial = 1 refresh = 7200 (2 hours) retry = 900 (15 mins) expire = 1209600 (14 days) default TTL = 86400 (1 day) rakhesh.com nameserver = ns-1475.awsdns-56.org rakhesh.com nameserver = ns-151.awsdns-18.com rakhesh.com nameserver = ns-1611.awsdns-09.co.uk rakhesh.com nameserver = ns-769.awsdns-32.net |
(In the example above the results also include all the name server records of the zone, but that needn’t be the case always).
In traditional zones you have one primary name server and many secondaries. So you can set one server as the primary in the record above. But what about AD-integrated zones? Since each DNS server is also a primary in that case, things are a bit different.
What happens is that the primary name server is set to the name of whichever DNS server you ask. Thus, if you query WIN-DC01 for the SOA record to rakhesh.local, it will give itself as the primary, while if you query WIN-DC02 it will return itself as the primary.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
C:\Windows\system32>nslookup -type=soa rakhesh.local 10.50.0.20 Server: win-dc01.rakhesh.local Address: 10.50.0.20 rakhesh.local primary name server = win-dc01.rakhesh.local responsible mail addr = hostmaster.rakhesh.local serial = 1712 refresh = 900 (15 mins) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour) win-dc01.rakhesh.local internet address = 10.50.0.20 win-dc01.rakhesh.local AAAA IPv6 address = fdcc:7c4e:3651:1::20 C:\Windows\system32>nslookup -type=soa rakhesh.local 10.50.0.22 Server: win-dc03.rakhesh.local Address: 10.50.0.22 rakhesh.local primary name server = win-dc03.rakhesh.local responsible mail addr = hostmaster.rakhesh.local serial = 1712 refresh = 900 (15 mins) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour) win-dc03.rakhesh.local internet address = 10.50.0.22 win-dc03.rakhesh.local AAAA IPv6 address = fdcc:7c4e:3651:1::22 |
In Windows the name server returned by the SOA record is also used by clients for dynamic DNS updates. Clients query DNS for the SOA record. Whichever server they get a response from will return an SOA record containing itself as the primary name server. Clients then use that name server to dynamically register their A and PTR records.
An exception to the above is Read-Only DCs (RODCs). These point to another server as the SOA for the zone. A new server is selected every 20 mins. When clients contact a RODC DNS server, they thus get another server as primary in the SOA record and send their dynamic updates to this other server.