Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Four reasons to buy (and one reason to avoid) the Droid
Cisco MARS shuts out new third-party security devices
Verizon Droid buzz muted in Boston
Week in Google news: Google Dashboard, Droid fever, focus on e-commerce
Cloud computing, virtualization proponents getting antsy
Data center start-up offers energy saving software
Vendors scrambling to fix bug in Net's security
Judge dismisses lawsuit challenging Gartner's Magic Quadrant
Boston Celtics clamp down on spam
Cloud computing inevitable? Not so fast, educator says
Blue Coat slashes staff, buys S7 services company
Apple seeks new sheriff to lock up iPhones
Google releases new search engine for e-commerce sites
Rackspace apologizes for cloud outage, prepares to issue service credits
/

Windows 2000 naming conventions under fire

Today's breaking news
Send to a friendFeedback

By John Fontana
Network World, 05/08/00

IT executives moving to Windows 2000 are uncovering yet another set of standards-compliance problems, as they roll out the operating system and attempt to integrate it with servers that control critical network services.

The issues surround the IETF standard Domain Name System (DNS), which is used to locate computers on a network and is the underlying service on the Internet to match names, such as www.nwfusion.com , and IP addresses for locating Web sites and controlling e-mail delivery.

Skewed standards

Microsoft has adopted a standardized variant of DNS in Win 2000, along with a set of extensions that some IT executives and experts say create an administrative burden and raise security questions when integrated with existing Unix-based DNS servers.

Win 2000 employs Dynamic DNS (DDNS) as the default mechanism to locate domain controllers and Active Directory, and to find computers and services. But DDNS, an Internet standard that lets machines automatically update DNS server records, isn't used by about 98% of the DNS servers currently deployed, according to some experts. IT administrators, weary of automatic updates to their Unix-based DNS servers, prefer manual updates so they can keep those servers under tight guard, even though DDNS can reduce IP address management.

Microsoft also chose to implement an IETF proposed standard for Dynamic Host Configuration Protocol (DHCP) - which automatically assigns IP addresses to machines and updates DNS servers - that makes it difficult for IT executives to integrate Win 2000 into their existing DNS infrastructures.

The company used a draft specification for securely updating DNS records that doesn't interoperate with de facto DNS software.

"It seems that Microsoft says it is standards-compliant, but some of its standards are draft documents or implementations that the rest of the industry has not caught up with," says one systems engineer for a large utility company on the East Coast who asked to remain anonymous. "Now we have to work around our DNS to accommodate what Microsoft is doing and that means more work for us."

Some say the administrative burden and issues around secure updates are the real concerns.

"The major problem is not technical, it's an administrative issue of who has control of DNS, Win 2000 or the Unix-based system that has been working for years," says Phil Cox, a consultant for SystemExperts in Sudbury, Mass.

The majority of enterprise DNS servers today use public domain software called Berkeley Internet Name Domain (BIND). Cox says if users upgrade to BIND 8.2.2, and enable the IETF standard for DDNS and a draft specification for service records, they should not have integration problems with Win 2000.

But the upgrade from a static to dynamic environment is not trivial, and requires configuration and administration changes.

The biggest issue is security. Microsoft used an IETF draft specification to implement secure DNS updates. The draft specification is not supported in today's BIND DNS servers, which means Win 2000 can't send secure updates to those machines.

"The fact that BIND has to accept insecure updates is a major security issue," Cox says.

Another issue is Win 2000 service records, or SRVs, which are used to locate services such as Active Directory, Kerberos or file/print. The SRVs that Microsoft uses adhere to a proposed IETF standard that allows underscore characters ( _ ) in computer host names. Most current implementations of BIND support an established standard, but don't recognize the underscore. Therefore, the SRVs cause errors in BIND.

Microsoft is advising users to turn off error checking in BIND DNS servers to solve the problem.

"I prefer not to turn off error checking because without it, I can get other faulty records in my DNS, and that can cause problems," says the administrator for the East Coast utility.

Layers of confusion

Another integration issue involves DHCP. Microsoft has used part of an IETF draft called Option 81 to determine whether DHCP servers or Win 2000 clients will make updates to DNS servers. The updates are for addressing - called the "A" record - which map a host name to the IP address. The Pointer (PTR) record does the reverse.

"If your DHCP server does not support Option 81, then your DHCP and your Win 2000 client potentially could try to update the same DNS record," says Mike Dooley, vice president of engineering for Lucent IP Services Product Group. Lucent has added support for Option 81 to its QIP Enterprise 5.0, a DHCP server, but most other DHCP servers have not. Without Option 81 in DHCP, Win 2000 clients bypass DHCP servers and update the records themselves.

With all the issues required to integrate Unix-based DNS and Win 2000, some users have chosen to isolate the Microsoft software.

"We will use Win 2000 on a subdomain with DDNS, but DDNS won't be used broadly," says Richard Jones, IT security coordinator for the University of Colorado at Boulder. "We won't run Microsoft DNS servers; Windows will get DNS services from Unix."

Given the hierarchy that DNS creates, experts say Jones' solution is a valid design and one that Microsoft even recommends.

Until some of the DNS integration issues are ironed out, users may be well advised to follow the example. o

RELATED LINKS

Contact Senior Editor John Fontana

Other recent articles by Fontana

Reaction: Here's what some Fusion users are saying about this article: What do you think? Add your comments to the thread

Win 2000 deployments demand masterful planning
Network World, 5/8/00.

Win 2000 at center of security storm
Network World, 5/8/00.

Other recent Network World articles on Windows 2000


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.