The information in this article applies to:
- Microsoft Windows NT Server versions 3.5, 3.51, and 4.0
SUMMARY
In a network environment that uses only Domain Name Service (DNS) for name
resolution, clients may not be able to log on to a Windows NT domain if
they do not have a domain controller on their TCP/IP segment.
This article explains how to configure Microsoft Windows NT 4.0 DNS Server
so that clients can locate a domain controller and be validated on the
Windows NT Domain. These steps should also work on third-party DNS
servers.
MORE INFORMATION
Below are examples of how to configure the DNS server and client so they
can perform Windows NT domain validation using DNS only for name
resolution. One advantage to using DNS instead of WINS for validation is
that you can control the Primary Domain Controller (PDC) and Backup Domain
Controller (BDC) server list that DNS will supply to the resolver. This
will prevent a remote BDC or PDC from setting up a secure channel with the
validation client and doing validation over a slow link.
Example 1
For the first example, the following names will be used:
DNS Domain: LEX.COM
Windows NT Domain: NTDOMAIN
To configure your DNS so that clients can locate Windows NT domain
controllers with DNS queries, perform the following steps:
- In the LEX.COM domain on the DNS server, create an A record for
NTDOMAIN. For this A record, enter the IP address of your Windows NT
domain controller.
NOTE: Because you can have multiple A records for the NTDOMAIN
resource, it is possible to specify certain domain controllers that
will be returned when the DNS resolvers query the Windows NT domain
name. To do this, simply create multiple A records for NTDOMAIN. For
each A record, enter the IP address of the Windows NT domain
controllers that you want to respond to domain name requests. These
multiple A records will be given to clients in "round-robin" sequence,
which will provide load-balancing for logging on to a Windows NT domain
(and other domain functions) across all listed Windows NT domain
controllers.
- Configure each client's TCP/IP properties with your DNS domain name (in
this example, LEX.COM). This step is important because, when the DNS
client (resolver) attempts to resolve the domain name, it does a b-node
broadcast on its subnet for the NTDOMAIN domain. If it receives no
reply (because the Windows NT domain controller is on another segment),
it will do one of the following:
- If a WINS server is specified on the client, the query for the
<NTDOMAIN>1Ch entry will then go to the WINS server. If the WINS
server has a <domain name>1Ch entry for the domain controller(s),
the client uses that server (PDC or BDC) address for Windows NT
domain validation.
- If a WINS server is not specified, or cannot be contacted, the
client sends a query to the DNS server with the Windows NT domain
name, and appends the DNS domain name to that name. So in this
example, it sends a query for NTDOMAIN.LEX.COM to the DNS. If step 1
has been completed, the DNS server will respond with one of the IP
addresses named NTDOMAIN in the LEX.COM domain. The client receives
this Windows NT domain controller IP address and sends its request
for domain logon validation to that Windows NT Domain Controller.
Example 2
In the special case where the Windows NT domain name has a period (.) in
the name, such as NTDOMAIN.COM, the A record creation is slightly
different. In the following example, substitute your Windows NT domain
name that contains a period where the example uses NTDOMAIN.COM.
In this example, perform the following steps:
- In the LEX.COM domain on the DNS Server, create a subdomain called COM.
- In the COM subdomain, create an A record named NTDOMAIN, and enter the
IP address of your Windows NT domain controller.
NOTE: Because you can have multiple A records for the NTDOMAIN
resource, it is possible to specify certain domain controllers that
will be returned when the DNS resolvers query the Windows NT domain
name. To do this, simply create multiple A records for NTDOMAIN. For
each A record, enter the IP address of the Windows NT domain
controllers that you want to respond to domain name requests. These
multiple A records will be given to clients in "round-robin" sequence,
which will provide load-balancing for logging on to a Windows NT domain
(and other domain functions) across all listed Windows NT domain
controllers.
- Configure each client's TCP/IP properties with your DNS Domain Name (in
this example, LEX.COM). This step is important because, when the DNS
client (resolver) attempts to resolve the domain name, it does a b-node
broadcast on its subnet for the NTDOMAIN.COM domain. If it receives no
reply (because the Windows NT domain controller is on another segment),
it will do one of the following:
- If a WINS server is specified on the client, the query for the the
<domain name>1Ch entry will then go to the WINS server. If the WINS
server has a <domain name>1Ch entry for the domain controller(s),
then the client uses that server (PDC or BDC) address for Windows NT
domain validation.
- If a WINS server is not specified, or cannot be contacted, the
client sends a query to the DNS server with the Windows NT domain
name and appends the DNS domain name to that name. So, in this
example, it sends a query for NTDOMAIN.COM.LEX.COM to the DNS. If
step 1 has been completed, the DNS server will respond with one of
the IP Addresses named NTDOMAIN in the COM subdomain within the
LEX.COM domain. The client receives this Windows NT domain
controller IP address, and sends its request for domain logon
validation to that Windows NT domain controller.
Keywords : NTSrv nttcp kbenv
Version : WinNT:3.5,3.51,4.0
Platform : winnt
Issue type : kbhowto
|