3.1.3 Initialization

  • Article

At initialization time, the server MUST load the DNS Server Configuration (section 3.1.1) from persistent local storage. The server MUST then initialize its zones:

If the server is configured to use a directory server:

  • The server MUST invoke the task Initialize an ADConnection, as defined in [MS-ADTS] section 7.6.1.1, with the following parameters:

    • TaskInputTargetName: NULL.

    • TaskInputPortNumber: 389.

  • The server MUST store the new TaskReturnADConnection returned from the task as DNS Server AD Connection.

  • If the AD connection is successfully initialized, the server MUST invoke the task Setting an LDAP Option on an ADConnection, as defined in [MS-ADTS] section 7.6.1.2 on the Active Directory connection DNS Server AD Connection. Parameters (specified in [MS-ADTS] section 7.3) for this task are as follows:

    • TaskInputOptionName: LDAP_OPT_AREC_EXCLUSIVE.

    • TaskInputOptionValue: TRUE.

    • TaskInputOptionName: LDAP_OPT_PROTOCOL_VERSION.

    • TaskInputOptionValue: 3.

    • TaskInputOptionName: LDAP_OPT_TIMELIMIT.

    • TaskInputOptionValue: 180.

    • TaskInputOptionName: LDAP_OPT_REFERRALS.

    • TaskInputOptionValue: FALSE.

  • After the Active Directory connection is initialized and the option is set, the server MUST invoke the Establishing an ADConnection task, as specified in [MS-ADTS] section 7.6.1.3, with the TaskInputADConnection parameter set to DNS Server AD Connection.

  • For the final step to complete the connection through LDAP to the local directory server, the server MUST invoke the Performing an LDAP Bind on an ADConnection task, as specified in [MS-ADTS] section 7.6.1.4, with the TaskInputADConnection parameter set to DNS Server AD Connection.

  • If any of the previous steps returns an error, the server MUST retry the connection with LDAP up to eight times, unless the Global Server State changes to "Stopping", in which case it MUST discontinue initialization. If each of the eight attempts to connect with LDAP fails, the server MUST continue initialization.

    • If the connection with LDAP was successfully established:

      • The server MUST check that the DnsAdmins group<212> (for more information see [MSDOCS-ADSecGrps]) already exists in the Local security groups (section 3.1.1). If it does not exist, and if the server is not a read-only server, then the server MUST create the DnsAdmins group in the Local security groups. The groupType attribute value for the DnsAdmins group MUST be 0x80000004.

      • If the server is not a read-only server, it MUST:

        • Attempt to add the MicrosoftDNS container object by invoking the Performing an LDAP Operation on an ADConnection task, as specified in [MS-ADTS] section 7.6.1.6, with the following parameters:

          • TaskInputADConnection: DNS Server AD Connection.

          • TaskInputRequestMessage: protocolOp is set to addRequest ([RFC4511] section 4.7).

          • The parameters of the addRequest are set as follows:

            • entry: "CN=MicrosoftDNS,CN=System,<Forest DN>"

            • attributes:

              • type: "objectClass"; vals: "container"

              • type: "cn"; vals: "MicrosoftDNS"

        • If the operation was successful, or if the operation failed because the object already existed and the DnsAdmins group was newly created in the last step, then the server MUST:

          • Attempt to grant all rights and ownership, with container inheritance, for the MicrosoftDNS (distinguished name: CN=MicrosoftDNS,CN=System,<Forest DN>) object to the DnsAdmins group by following the procedure specified in section 3.1.6.4.

          • Attempt to grant all rights, with container inheritance, for the MicrosoftDNS (distinguished name: CN=MicrosoftDNS,CN=System,<Forest DN>) object to the Enterprise Domain Controllers group by following the procedure specified in section 3.1.6.4.

          • Attempt to remove all rights for the MicrosoftDNS (distinguished name: CN=MicrosoftDNS,CN=System,<Forest DN>) object from the Authenticated Users and Built-In Administrators groups by following the procedure specified in section 3.1.6.4.

        • If the attempted addition of the MicrosoftDNS container object was successful, or if it failed because the object already existed, the server MUST:

          • Check that the displayName attribute of the object has been set, by invoking the Performing an LDAP Operation on an ADConnection task, as specified in [MS-ADTS] section 7.6.1.6, with the following parameters:

            • TaskInputADConnection: DNS Server AD Connection.

            • TaskInputRequestMessage: protocolOp is set to searchRequest ([RFC4511] section 4.5).

            • The parameters of the searchRequest are set as follows:

              • baseObject: "CN=MicrosoftDNS,CN=System,<Forest DN>"

              • scope: base (0)

              • derefAliases: neverDerefAliases (0)

              • sizeLimit: 0

              • timeLimit: 360

              • typesOnly: FALSE

              • filter: "(objectCategory=*)"

              • attributes: displayName

          • If the search request was successful and the MicrosoftDNS container has no values for the displayName attribute, then modify the displayName attribute by invoking the Performing an LDAP Operation on an ADConnection task, as specified in [MS-ADTS] section 7.6.1.6, with the following parameters:

            • TaskInputADConnection: DNS Server AD Connection.

            • TaskInputRequestMessage: protocolOp is set to modifyRequest ([RFC4511] section 4.6).

            • The parameters of the modifyRequest are set as follows:

              • object: "CN =MicrosoftDNS,CN=System,<Forest DN>"

              • changes:

                • operation: replace

                • type: displayDNS

                • vals: "DNS Servers"

        • The server MUST attempt to enumerate the application directory by invoking the Performing an LDAP Operation on an ADConnection task, as specified in [MS-ADTS] section 7.6.1.6, with the following parameters:

          • TaskInputADConnection: DNS Server AD Connection.

          • TaskInputRequestMessage: protocolOp is set to searchRequest ([RFC4511] section 4.5).

          • The parameters of the searchRequest are set as follows:

            • baseObject: "CN=Partitions,CN=Configuration,<Forest DN>"

            • scope: singleLevel (1)

            • derefAliases: neverDerefAliases (0)

            • sizeLimit: 0

            • timeLimit: 360

            • typesOnly: FALSE

            • filter: "(objectCategory=crossRef)"

            • attributes: "CN, ntSecurityDescriptor, instanceType, ms-DS-SDReferenceDomain, systemFlags, msDS-NC-Replica-Locations, ms-DS-NC-RO-Replica-Locations, nCName, dnsRoot, objectGUID, whenCreated, whenChanged, usnCreated, usnChanged, Enabled, objectClass"

        • For each object found in the search, the server MUST use the configuration, replication, and security metadata values contained in the object to construct a structure of type DNS_RPC_DP_INFO (see section 2.2.7.2.1), computing the value of each field as specified in section 2.2.7.2.1, and the server MUST insert the structure as an entry in the Application Directory Partition Table. The server MUST create the in-memory Application Directory Partition Access Control List by copying the ntSecurityDescriptor attribute of the crossRef object. The server MUST also retrieve and store, in memory, the identity of the Domain Naming Master FSMO role owner. If the default DNS Domain Partition or default DNS Forest Partition is not present during polling, the server MUST attempt to create and enlist in these partitions. If any LDAP operation fails, the server MUST continue initialization.

In all cases:

  • The server MUST retrieve the list of zones to load from the source specified by the BootMethod setting's value (section2.2.4.1.1) and attempt to load zones from the configuration source specified by the BootMethod setting (section 3.1.1.1.1).

    • If the method is BOOT_METHOD_UNINITIALIZED (section 2.2.4.1.1):

      • If a zone loaded from the local directory server results in a zone with no nodes, the server MUST then attempt to load the same zone from file-based persistent storage.

    • If the method is BOOT_METHOD_DIRECTORY (section 2.2.4.1.1):

      • If a zone loaded from the local directory server results in a zone with no nodes, the server MUST then attempt to load the same zone from file-based persistent storage.

      • If the LDAP connection to the directory server is unavailable, the server MUST attempt to load those zones specified in the persistent copy of the DNS Zone Table that are stored in local persistent storage.

      • If the LDAP connection to the directory server is available, the server MUST attempt to load the zones specified in the persistent copy of the DNS Zone Table, but only those zones stored in the Application Directory Partitions in which the server is enlisted. This MUST include at minimum the defaultNamingContext of the directory server's rootDSE, the default DNS Domain Partition and the default DNS Forest Partition. If the zone is stored in local persistent storage, the server MUST attempt to load the zone. If the zone is directory server-integrated, the server MUST attempt to load the LDAP dnsZone and dnsNode objects (section 2.3) that represent the zone from the directory server. The DNS server MUST ignore any DNS node in the directory server which has the dnsTombstoned attribute set to TRUE. If an attempt to load a zone fails for any reason, the server MUST clear the contents of the in-memory zone (if any) and mark the zone state as shutdown (see section 2.2.5.2.2), but continue initialization.

      • If there are no root hints in the local directory server, but root hints were loadable from a file-based persistent storage and are non-empty, the server MUST write the root hints back to the local directory server through the WriteDirtyZones operation 3.1.4.1 by using the DNS_ZONE_LOAD_OVERWRITE_DS flag 2.2.5.2.7.1.

  • The DNS Server Management Protocol server MUST register the RPC interface and begin listening on the RPC transports, as specified in section 2.1, and limited by the flags specified for the RpcProtocol property (section 3.1.1.1.1).

  • The server SHOULD invoke the NetlogonControl2Ex method with function code NETLOGON_CONTROL_FORCE_DNS_REG on the Netlogon protocol implementation on the local Domain Controller.<213> (See [MS-NRPC] section 3.5.4.9.1.)