3.1.1 Abstract Data Model
This section describes a conceptual model of possible data organization that an implementation maintains to participate in this protocol. The described organization is provided to facilitate the explanation of how the protocol behaves. This document does not mandate that implementations adhere to this model as long as their external behavior is consistent with that described in this document.
Global Server State: The global state of the server set to one of the following values:
Loading: the DNS server is loading configuration and zone data.
Running: the DNS server has loaded all data and is serving queries.
Stopping: the DNS server is shutting down.
DNS Server Configuration: Configuration information for the server, in persistent storage, in the form of (name, value) pairs. The list of metadata information can be found in section 3.1.1.1.
DNS Server AD Connection: An ADCONNECTION_HANDLE as defined in [MS-DTYP] section 2.2.2. This element is used every time the DNS server needs to communicate to the directory server.
DNS Server Configuration Access Control List: An access control list that specifies what client identities have read and write permissions on the DNS Server Configuration. If the DNS server is directory server integrated, the access control list is stored in the local directory server.<107> Otherwise, this access control list is not stored in persistent storage and is dynamically created at server start time.<108>
DNS Zone Table: Configuration information for DNS zones, in persistent and in-memory storage. The Zone Table can be stored persistently either in a file or in the local directory server, but not both simultaneously. The Zone Table also resides in-memory, behaving as a cache containing the current working copy of both zones loaded from persistent storage, as well as zones retrieved from remote DNS servers. A query to a zone MUST be responded to using only the data in the corresponding in-memory zone. A modification to any elements of a zone, such as a DNS update of records [RFC2136], MUST be reflected immediately in the corresponding in-memory zone and MUST be immediately transactionally committed to DS-integrated storage afterwards (see "WriteDirtyZones" in section 3.1.4.1). Each update to the in-memory zone MUST be atomic. If an update to the in-memory zone does not succeed, the in-memory zone MUST be restored to its previous state before the update. Queries to a zone during an in-memory zone modification process are responded to using the post-update zone state. For zones stored in the local directory server, this table can include zones that are in the process of being deleted (see "DeleteZoneFromDs" in section 3.1.4.1).
-
The in-memory DNS Zone Table is used for queries and modifications for all zone operations (see section 3.1.4). The in-memory Zone Table is populated during server initialization per-zone from either the local persistent storage or DS-integrated Zone Table. When modifications are made to a zone, such as after a DNS update or zone transfer, the changes are reflected first in the in-memory Zone Table, which is then copied per zone, for all zone types except DNS_ZONE_TYPE_CACHE (section 2.2.5.1.1), to either the local persistent storage or immediately to the DS-integrated Zone Table. In-memory data retrieved from remote DNS servers are not copied to local persistent or DS-integrated storage, except for secondary zones with an fDsIntegrated value of FALSE (section 2.2.5.2.6), which MUST eventually be copied to local persistent storage. For DS-integrated zones, the server polls the directory server using the LDAP protocol every DsPollingInterval (section 3.1.1.1) to copy DS-integrated zones to the respective in-memory zones. If an error occurs during polling, the DNS server MUST NOT mark the zone as shutdown (see section 2.2.5.2.2) and MUST attempt to poll the zone again after DsPollingInterval (section 3.1.1.1) seconds have elapsed. Zones of type DNS_ZONE_TYPE_CACHE (section 2.2.5.1.1) are never written to persistent storage. All contents of a zone of type DNS_ZONE_TYPE_CACHE MUST be discarded when the DNS server process is terminated or when the ClearCache operation (section 3.1.4.1) is executed.
-
The local persistent storage DNS Zone Table is copied to the in-memory DNS Zone Table on server initialization and is copied from the in-memory Zone Table after a modification to the in-memory Zone Table is complete.
-
The directory server-integrated DNS Zone Table is copied to the in-memory DNS Zone Table on server initialization and is copied from the in-memory Zone Table immediately after a modification to the in-memory Zone Table is complete. When changes occur in the DS-integrated Zone Table, the changes are not reflected in the in-memory Zone Table until the DNS server polls the directory server to update the in-memory Zone Table with the modified DS-integrated Zone Table. If changes happened simultaneously to the in-memory Zone Table and the DS-integrated Zone Table, then the post-modified DS-integrated Zone Table is copied to and overwrites the in-memory Zone Table.
-
For each zone, the DNS Zone Table consists of the following:
-
Zone Name: The name of the zone.
-
Zone Status: Operational state information pertaining to the zone, such as the information in DNS_RPC_ZONE_FLAGS (section 2.2.5.2.2).
-
Metadata: Configuration information for the zone, in the form of (name, value) pairs. The list of metadata information can be found in section 3.1.1.2.
-
Zone GUID: A GUID associated with the zone. The default value of this property MUST be NULL. If this zone is stored in the directory server, then this value is initialized from the objectGUID attribute of the associated dnsZone object in the DS-integrated DNS Zone Table, which is generated as specified in [MS-ADTS], section 3.1.1.1.2, when the zone is first added to the directory server. When the server polls the directory server and discovers that a zone has been deleted from the DS-integrated DNS Zone Table, it uses the objectGUID attribute of that dnsZone object to identify the corresponding zone in the in-memory copy of the DNS Zone Table.
-
DNS Nodes and Records: The collection of DNS records for each DNS zone. Each distinct DNS owner name (see [RFC1035]) present in the zone is represented by a node. Each node in the zone has a collection of DNS records that pertain to the DNS owner name of the node. Each DNS record also has metadata which is specified in section 3.1.1.2. The collection of DNS nodes and records for each zone MUST contain a node representing the name of the zone itself, which MUST contain an SOA record that stores the fields present in the DNS_RPC_RECORD_SOA structure (section 2.2.2.2.4.3). The zone serial number is stored in the dwSerialNo field of this SOA record. DNS records can be accessed or updated by the local directory server through directory server replication and by remote DNS servers through the DNS protocol [RFC1035] and DNS update [RFC2136].
-
DNS Node Tombstone State: Each node in a zone MAY have a Boolean value indicating if this DNS node is a tombstone.<109>
-
Zone Access Control List: An access control list that specifies what client identities have permissions on this DNS Zone. If the zone is stored in the directory server, the access control list is stored in the ntSecurityDescriptor attribute of the dnsZone object (section 2.3) and can be modified using standard LDAP modify operations (see [MS-ADTS] section 3.1.1.5.3). If the zone is not stored in the directory server, the zone does not have an access control list associated with it and instead the DNS Server Configuration Access Control List is used as the access control list for the zone.<110>
-
Last Transferred Zone Serial Number: The zone serial number that was last sent in a complete [RFC1035] or incremental [RFC1995] zone transfer to a remote DNS server.
-
Time of Last SOA Check: For a secondary or stub zone, the time at which the primary zone was last contacted (whether successfully or unsuccessfully) to compare zone serial numbers. The value is expressed as the number of seconds since the system booted, in unsigned 32-bit integer format. The default value of this property MUST be zero.
-
Time Zone Secured: The time at which the zone's AllowUpdate property (section 3.1.1.2.1) was last changed from any value to ZONE_UPDATE_SECURE (section 2.2.6.1.1). Changes of the zone's AllowUpdate property to any other value MUST NOT cause a change to Time Zone Secured., The value is expressed as the number of seconds since 12:00 A.M. January 1, 1601 Coordinated Universal Time (UTC) in unsigned 64-bit integer format. The default value of this property MUST be zero. If this zone is stored in the local directory server, then this value is initialized from and written to the "whenChanged" attribute of the dnsZone.
-
Dirty Flag: A Boolean variable present only in the in-memory copy of a zone. Set to true only if the zone has been modified in memory and there is a copy of the zone in persistent storage to which the in-memory modifications have not been committed.
-
Signing Key Descriptor List: A list of zero or more signing key descriptors associated with the zone, used to inform the online signing process. Each entry in this list consists of the fields in the DNS_RPC_SKD (see section 2.2.6.2.1) and DNS_RPC_SKD_STATE (see section 2.2.6.2.3) structures.<111>
-
Rollover Queue: An ordered list of zero or more signing key descriptors in the zone ready for key rollover. A signing key descriptor whose dwRolloverPeriod is not 0xFFFFFFFF is automatically added to this queue when dwRolloverPeriod seconds have elapsed since the signing key descriptor's last successful key rollover, or since the zone was initially online-signed. A signing key descriptor can be added to this queue prior to this time by invoking the PerformZoneKeyRollover operation of the R_DnssrvOperation method (section 3.1.4.1). The DNS server SHOULD<112> perform key rollover on each item in this queue, one at a time, according to the process specified in [RFC4641] and [RFC5011].
-
Application Directory Partition Table: The DNS server SHOULD<113> support the concept of application directory partitions. Each entry in the Application Directory Partition Table, stored in memory, consists of the fields in DNS_RPC_DP_INFO (section 2.2.7.2.1). This table is populated during DNS server initialization through queries to the local directory server using the LDAP protocol. To populate this table, the DNS server MUST use LDAP queries to enumerate all objects under "CN=Partitions, CN=Configuration, <Forest DN>" of object class crossRef and for each object's read attribute values as specified by the definitions of the fields of DNS_RPC_DP_INFO (section 2.2.7.2.1). Certain fields do not correspond directly to data stored in local directory server (see section 2.2.7.2.1).The Application Directory Partition Table is kept up-to-date as partitions are created or deleted on the local server, by writing changes to the local directory server and immediately polling to refresh the Application Directory Partition Table. The DNS server polls the directory server at an interval specified by DsPollingInterval (see section 3.1.1.1) to reflect changes made by remote directory servers (see section 3.1.4.1). If the default DNS domain partition or the default DNS forest partition is not present when polling, the server MUST attempt to create and enlist in these partitions as part of the polling process.
-
Application Directory Partition Access Control List: In addition to the fields in DNS_RPC_DP_INFO 2.2.7.2.1) each entry in the Application Directory Partition Table MUST also contain an access control list stored persistently in the directory server in the ntSecurityDescriptor attribute of the crossRef object associated with the Application Directory Partition.<114>
-
Remote Server Table: An in-memory state table of EDNS [RFC2671] support statuses of remote DNS servers that the local server has previously contacted. The status of a remote server is cached for the interval specified by EDnsCacheTimeout (section 3.1.1.1.1). The state of a remote server can be set to one of the following values:
Unknown: the remote server's EDNS [RFC2671] support is indeterminate; initial state.
Not supported: the remote server does not support EDNS [RFC2671].
Ok: the remote server supports EDNS [RFC2671].
Maybe not supported: the remote server has not responded, and an EDNS [RFC2671] support state cannot yet be determined.
-
Statistics: An in-memory structure whose elements correspond directly with the objects specified in sections 2.2.10.2.4 through 2.2.10.2.24, omitting the Header field of each. These values are made available to clients of the DNS Server Management Protocol by the DNS server when processing R_DnssrvComplexOperation2 (section 3.1.4.8) method calls with operation type "Statistics".
-
DNS Server Credentials: The credentials that the DNS server process will be invoked as. These credentials MUST be used for all file, registry, and directory service LDAP operations where user credentials are not available.<115>
-
DownlevelDCsInDomain: The count of downlevel domain controllers in the domain in an unsigned 32-bit integer format. The default value MUST be zero.<116>
-
Domain Naming Master Identity: Host name of the Domain Naming Master FSMO role represented as a string (wchar*). Whenever the DNS server makes any changes to crossRef objects, it MUST establish an LDAP connection to the Host whose name is stored here, and modify its version of the object accordingly.
-
Local security groups: A list of group identities with accompanying membership information. When permissions are set for an object, a local security group identity can be used to set permissions for all members of that group.