Tài liệu Module 4: DNS as a Solution for Name Resolution docx

Explain that the reverse lookup zones can be Active Directory integrated zones, traditional primary zones, or traditional secondary zones.. Designing a Functional DNS Solution Selecting

Contents

Overview 1

Designing a Functional DNS Solution 7

Discussion: Designing DNS Solutions 20

Enhancing a DNS Design for Availability 28

Optimizing a DNS Design for Performance 31

Discussion: Enhancing DNS Solutions 35

Lab A: Designing a DNS Solution 37

Review 49

Module 4: DNS as a Solution for Name Resolution

to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2000 Microsoft Corporation All rights reserved

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, PowerPoint, Visual Basic, Visual C++, Visual Studio, Win32, Windows, Windows Media, Windows NT, are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries/regions

Project Lead: Don Thompson (Volt Technical)

Instructional Designers: Patrice Lewis (S&T OnSite), Renu Bhatt NIIT (USA) Inc

Instructional Design Consultants: Paul Howard, Susan Greenberg

Program Managers: Jack Creasey, Doug Steen (Independent Contractor)

Technical Contributors: Thomas Lee, Bernie Kilshaw, Joe Davies

Graphic Artist: Kirsten Larson (S&T OnSite)

Editing Manager: Lynette Skinner

Editor: Kristen Heller (Wasser)

Copy Editor: Kaarin Dolliver (S&T Consulting)

Online Program Manager: Debbi Conger

Online Publications Manager: Arlo Emerson (Aditi)

Online Support: Eric Brandt (S&T Consulting)

Multimedia Development: Kelly Renner (Entex)

Test Leads: Sid Benevente, Keith Cotton

Test Developer: Greg Stemp (S&T OnSite)

Production Support: Lori Walker (S&T Consulting)

Manufacturing Manager: Rick Terek (S&T OnSite)

Manufacturing Support: Laura King (S&T OnSite)

Lead Product Manager, Development Services: Bo Galford

Lead Product Manager: Ken Rosen

Group Product Manager: Robert Stewart

Other product and company names mentioned herein may be the trademarks of their respective owners

Instructor Notes

This module provides students with the knowledge and decision-making skills that are necessary to design a functional name resolution service by using DNS within a Microsoft® Windows® 2000 networking infrastructure In the module, students will make DNS technology decisions to enhance the design’s security, availability, and performance based on the organization’s requirements

At the end of this module, students will be able to:

Recognize DNS as a solution for name resolution

Evaluate and create a DNS solution to support an organization’s namespace requirement

Select appropriate strategies to secure DNS

Select appropriate strategies to improve the availability of DNS

Select appropriate strategies to improve DNS performance

Upon completion of the design lab, students will be able to design DNS solutions that meet the name resolution requirements of a variety of organizations

Materials and Preparation

This section provides you with the materials and preparation needed to teach this module

Materials

To teach this module, you need the following materials:

Microsoft PowerPoint® file 1562B_04.ppt

Preparation Tasks

To prepare for this module:

Review the contents of this module

Read any relevant information in the Windows 2000 Help files, the Windows 2000 Resource Kit, or in documents provided on the Instructor

CD

Read the relevant RFCs in the Windows 2000 Help files

Review discussion material and be prepared to lead class discussions on the topics

Complete the lab and be prepared to elaborate beyond the solutions found there

Read the review questions and be prepared to elaborate beyond the answers provided in the text

Presentation:

75 Minutes

Lab:

45 Minutes

Module Strategy

Use the following strategy to present this module:

Introducing DNS Emphasize the importance of name resolution in a network Give some examples of user-friendly addresses and numerical Internet Protocol (IP) addresses After the students understand the importance of name resolution, give a brief overview of Windows 2000 DNS Explain how DNS resolves names For an overview of DNS, you can ask the students to view the DNS video on the Student CD

In this section:

• Emphasize that the first step in designing a DNS solution is to identify the design decisions that influence the design Point out that it is essential to determine the network configuration and the number of hosts, locations, subnets, and routers, before starting the design

• Describe the solutions provided by DNS Emphasize that DNS can integrate with other products Discuss the impact of DNS on network management

• Emphasize that integration of DNS with WINS, DHCP, and the Active Directory™ directory service helps in name resolution by obtaining IP configuration and DNS server authentication

Designing a Functional DNS Solution Explain that DNS functionality can be established by selecting appropriate zone types, determining server placements, and integrating DNS with other Windows 2000 services Provide an overview of the decisions involved in establishing a functional design

In this section:

• Explain what a zone is and how zones work Give a brief overview of Active Directory integrated zone, traditional DNS zones, and the combination zone in terms of how to select an appropriate zone

• Tell the students that the structure of DNS namespace and the DNS zone type influence the placement of DNS servers in a network design Discuss how to determine server placement based on namespace design and zone type

• Introduce reverse lookup zones Tell the students that if applications or network security requires the conversion of IP addresses to domain names, they can include reverse lookup zones in their network design Explain that the reverse lookup zones can be Active Directory integrated zones, traditional primary zones, or traditional secondary zones

• Point out that DNS servers interact with servers on the Internet to resolve names Explain how DNS integrates with the Internet

• Explain that the Windows 2000 DNS service can be combined with BIND and DNS servers in Microsoft Windows NT® version 4.0, if you cannot replace the existing DNS servers

• Point out that the host names found in WINS can be resolved by forwarding unresolved DNS queries to a WINS server The forwarding

of unresolved DNS queries to WINS can be established on a zone basis

zone-by-• Explain that the DNS zones provided by Windows 2000 can be integrated into the existing namespace of an organization Tell students that they need to integrate the DNS zones into the existing namespace if they are unable to specify a computer running Windows 2000 as the DNS root server for the organization

• Ensure that students understand the scenario description and directions for the Discussion Direct them to read through the scenario and answer the questions Be prepared to clarify if necessary Lead a class

discussion on the students’ responses

Securing DNS Because DNS servers are exposed to the network, you need to secure DNS access from private and public networks In this section, explain the use of restricted updates, Internet Protocol Security (IPSec), virtual private network (VPN) tunnels, Active Directory, and screened subnets to secure DNS

• Point out that when integrating DNS into screened subnets, you must restrict Internet-based user access and encrypt any zone replication within the private network Describe the placement and interaction of DNS services within screened subnets

Enhancing a DNS Design for Availability Describe the usage of replicated DNS zones and server clusters to enhance the availability of a DNS design

• Explain that the availability of DNS can be enhanced by using server clusters The availability that is provided by server clusters is used for solving availability issues only at local locations

Optimizing a DNS Design for Performance Explain the methods of improving the performance of a DNS design Reducing the query resolution time, and reducing the impact of replication

on network traffic, can maximize the performance of the DNS service

In this section:

• Emphasize that the use of caching-only servers, delegated zones, and load balancing can reduce query resolution time

• Point out that the data transmission rates for network traffic can be improved by reducing the impact of DNS replication traffic Explain that the performance of the replication traffic can be improved by using fast zone transfers, modifying the replication schedule, and performing incremental zone updates

• Make sure that students understand the scenario description and directions for the Discussion Direct them to read through the scenario and answer the questions Be prepared to clarify if necessary Lead a class discussion on the students’ responses

Lab Strategy

Use the following strategy to present this lab

Lab A: Designing a DNS Solution

In this lab, students will design a DNS solution based on specific requirements outlined in the given scenario

Students will review the scenario and the design requirements, and read any supporting materials They will use this information, and the knowledge gained from the module, to develop a detailed design that uses DNS as the solution

To conduct the lab:

Read through the lab carefully, paying close attention to the instructions and

to the details of the scenario

Divide the class into teams of two or more students

Present the lab and make sure students understand the instructions and the purpose of the lab

Explain that the planning worksheet is to be used to develop the design of their solution

Remind students to consider any functionality, security, availability, and performance criteria that are provided in the scenario, and how they will incorporate strategies to meet these criteria in their design

Take the opportunity to assess each student’s comprehension of the design strategies presented in the module while students are completing the lab

Allow some time to discuss the solutions after the lab is completed A solution is provided on the Instructor CD to help you review the lab results Encourage students to critique each other’s solutions and to discuss any ideas for improving the designs

Overview

Introducing DNS

Designing a Functional DNS Solution

Securing DNS

Enhancing a DNS Design for Availability

Optimizing a DNS Design for Performance

Name resolution processes allow users to remember resource names You can use these resource names instead of the numerical Internet Protocol (IP) addresses that computers use to identify themselves on the network

DNS in Microsoft® Windows® 2000 allows users to refer to network resources with easy-to-remember names by resolving names to IP addresses In this module, you will evaluate and design a DNS solution for name resolution

At the end of this module, you will be able to:

Recognize DNS as a solution for name resolution

Evaluate and create a DNS solution to support an organization’s name resolution requirement

Select appropriate strategies to secure DNS

Select appropriate strategies to enhance the availability of DNS

Select appropriate strategies to improve DNS performance

While designing a network,

you must identify name

resolution solutions to locate

computers and services on

the network In this module,

you will evaluate and design

a DNS solution for name

resolution

Introducing DNS

Design Decisions for a DNS Solution

Microsoft DNS Features

Integrating DNS with Other Windows 2000 Services

While designing a network, you must identify solutions for name resolution to locate computers and services on the network The large number of available network resources creates the need for meaningful resource names to simplify the user’s access to resources

Windows 2000 DNS allows users to refer to network resources with names complying with the DNS standard You can use DNS to resolve names to IP addresses DNS can also integrate with other Windows 2000 services to extend the name resolution capabilities

To design a strategy for locating network resources by using DNS, you must:

Collect information about network and host configuration, and the number

While designing a network,

you must identify solutions

for name resolution to locate

computers and services on

the network

Remind students that in this

module, DNS always refers

to the DNS services

provided by Windows 2000

unless otherwise specified

Design Decisions for a DNS Solution

Active Directory

UNIX DNS

Firewall

The design of your DNS solution is based on criteria that you collect during the design process After you have collected the criteria, you can begin designing your DNS solution

Some of the criteria that affects your DNS design includes the:

Number of locations The number of locations determines the minimum number of DNS servers because each location typically has at least one DNS server

Number of users at each location The number of users at each location determines the number of DNS clients that must be supported within the location

Existence of any prior DNS servers, such as UNIX or DNS servers in Microsoft Windows NT® version 4.0 Existing DNS servers may limit the use of DNS features such as incremental zone transfers

Existence or plans to include an Active Directory™ directory service infrastructure Active Directory provides the option of including Active Directory integrated zones in your DNS design

Slide Objective

To identify the design

decisions that influence a

DNS solution

Lead-in

To design a DNS solution,

you must determine the

number of locations and

hosts, the existing DNS

servers, and the Active

Directory infrastructure

Discuss the bulleted points

with students Tell them that

these are the questions they

need to answer before

designing a DNS solution

Explain the relevance of

these decisions with

reference to the graphic

Microsoft DNS Features

Resolving Domain Names

Integrating with Active Directory

Integrating into Existing Network Designs

To determine how Windows 2000 DNS integrates into an existing infrastructure, you need to define the features provided by DNS, its compliancy with the existing standards, and the scope for extending the existing services

Resolving Domain Names

The solutions provided by DNS include:

Resolving traditional fully qualified domain names (FQDNs)

Resolving network basic input/output system (NetBIOS) names by forwarding queries to WINS

Integrating with Active Directory

The integration of the DNS service with Active Directory enhances a DNS design by:

Reducing network management Network management is reduced because DNS uses Active Directory replication to replicate DNS zone databases

Providing secured and automatic maintenance of DNS zone databases by using dynamically updated DNS

name resolution service,

you must understand the

features available to support

the needs of your

infrastructure

Integrating into Existing Network Designs

The DNS service in Windows 2000 is a superset of the Internet Engineering Task Force (IETF) standards You can integrate DNS with other products that are based on the IETF standards DNS provides compatibility with DNS servers

on other operating systems by complying with Berkeley Internet Name Domain (BIND) version 8.2.2 Crucial BIND compatibility includes:

Incremental zone updates that are supported by BIND version 8.2.1 and later

A dynamically updated DNS zone database that is supported by BIND version 8.1.2 and later

Support for the SRV (service) resource record that is supported by BIND version 4.9.6 and later

Although other versions of BIND can integrate with the DNS services in Windows 2000, BIND version 8.2.2 is recommended BIND version 8.2.2 is the latest version and supports all enhanced features

Note

Integrating DNS with Other Windows 2000 Services

WINS Server

Name Registration

Authentication Replication Name Resolution

DNS Server

Active Directory

DHCP Server

DNS integrates with other networking services to take advantage of their features These features require you to include additional specifications in the design, such as forwarding name resolution queries to a WINS server

The following table describes the benefits of integrating DNS with other networking services

DNS integrates with To

addresses are assigned to DHCP client computers

WINS server and resolving the queries from the WINS database entries

Active Directory Provide multiple master DNS zones, secured zone

updates, and encrypted DNS replication

Designing a Functional DNS Solution

Selecting the Appropriate Zone Types

Server Placement by Zone Type

Reverse Lookup Zone Design

Connecting DNS to the Internet

Integrating with BIND and DNS Servers in Windows NT 4.0

Integrating DNS and WINS

Strategies for Integrating into the Existing Namespace

There are a few essential design decisions that you need to make for a DNS solution After these essential design decisions are established, you can optimize the DNS solution by adding security, availability, and performance enhancements to your design

The essential design decisions for your DNS solution must include:

Which zone types to include in your design

Where to place DNS servers based upon the zone types

How to create designs that include reverse lookup zones

How to create designs if the DNS servers in the private network interact with the DNS servers on the Internet

How the DNS services in Windows 2000 integrate with UNIX BIND and Windows NT 4.0 DNS servers

How to create designs that include WINS servers as part of the solution

How the DNS services in Windows 2000 integrate into an organization’s existing namespace

Selecting the Appropriate Zone Types

Chosen When Integrating into Existing Active Directory

Single Point of Support for DNS and Active Directory

Chosen for Integration into Existing Infrastructure

Separate Support for DNS and Active Directory

Chosen When Root Server is Traditional DNS

Supports Active Directory Integrated Zones As a Delegated Domain

Active Directory Integrated Zone

Combination of Both Zone Types

Traditional DNS Zone

You can base DNS services on Active Directory integrated zones, on traditional DNS zones, or on a combination of both If your organization uses Active Directory as the directory service, you can choose either traditional DNS zones

or Active Directory integrated zones

Choose Active Directory integrated zones if an Active Directory infrastructure exists or is part of the long-term strategy of the organization Choose a

traditional DNS zone if DNS is being integrated with existing DNS servers running UNIX or some other operating system

Active Directory Integrated Zones

Active Directory integrated zones store DNS zone information in Active Directory Active Directory integrated zones are:

Multi-master, read/write copies of the zone information The multi-master characteristic enables you to make updates to the original Active Directory integrated zone, or make replicated copies of the zone It ensures that you can always perform updates to the DNS zone information

As a best practice, select Active Directory integrated zones if your DNS design includes dynamic updates to DNS Traditional DNS zones are not multi-master, so the failure of a DNS server with a primary zone prevents dynamic updates

Replicated by Active Directory Because Active Directory integrated zones store the zone information in Active Directory, the zone information is replicated along with other Active Directory data

Required for secured, dynamically updated DNS zones Because Active Directory integrated zones store the zone information, you can establish permissions for the computer, group, or user who can update the DNS zone information

Slide Objective

To describe the various

zone types that you can

select for DNS services

Lead-in

There are three approaches

to zone types You can base

Replicated only within an Active Directory domain However, you can replicate Active Directory integrated zone information outside the domain to traditional secondary zones

Treated as a traditional primary zone from another BIND-based DNS server

To a BIND-based DNS server, Active Directory integrated zones appear as traditional primary zones You can replicate to other Active Directory integrated zones or to traditional secondary zones

Traditional DNS Zones

Traditional DNS zones store the zone information in a file on the computer running Windows 2000 and DNS Traditional DNS zones:

Follow a single master model for storing and replicating zone information

Primary zones are the only zone types that support a read/write copy of the zone information You are allowed only one primary zone, but you can replicate read-only copies of the zone information to any number of secondary zones

Replicate incrementally or by transferring the entire zone information The replication between primary and secondary zones can occur incrementally

or by transferring the entire zone contents The DNS service in Windows 2000 supports both incremental and complete zone transfers

Function identically to BIND-based DNS servers Traditional DNS zones have the same benefits and constraints as BIND-based DNS zones You can use traditional DNS zones if high interoperability with BIND-based DNS servers is a design requirement

Combination of Both Zone Types

The following table compares Active Directory integrated zones with traditional DNS zones

Features of DNS Active Directory integrated zones Traditional DNS zones

Uses a zone information replication method based

on Active Directory replication

Server Placement by Zone Type

Recommend one DNS server at each remote location

Add secondary

or delegated zones for availability and performance

Requires one primary zone

Traditional DNS zone

Recommend one DNS server at each remote location

Add DNS servers for availability and performance

Requires one Active Directory integrated zone

Active Directory integrated zone

Recommendation Improvement

Procedure Requirement

Zone Type

The DNS zone type influences the placement of DNS servers in a name resolution design Each zone type solves a specific requirement within a design For example, you would add a secondary zone server at a remote location to improve performance

When placing servers within a DNS design, you need to consider the DNS zone type The following table lists the DNS zone types and when you must select them

Choose this zone When you need to create a DNS server that

Active Directory integrated Is any server in a design based on Active Directory

DNS

Has a read/write copy of the zone information

Can administer zone information separately

a complete copy of the primary zone

Has a read-only copy of the zone information

Improves performance at local and remote locations by providing a local copy of a primary zone

Is placed in screened subnets and accessed by based users

Internet-Delegated domain Contains a subset of the domain namespace in an Active

Directory integrated zone or a primary zone

Improves performance by reducing the number of records to be searched to a subset of the namespace

Slide Objective

To describe when to use

certain zone types in

creating a DNS design

Lead-in

To define namespace

design, you need to

determine the server

placement in a network

design

Reverse Lookup Zone Design

Reverse Lookup Zone Types

Dynamic Updates and Reverse Lookup Zones

Internet

172.168.in-addr.arpa Primary Zone

172.168.in-addr.arpa Secondary Zone

10.in-addr.arpa Active Directory Integrated Zone

10.in-addr.arpa Active Directory Integrated Zone

If applications or network security requires the conversion of IP addresses to domain names, you can include reverse lookup zones in your design The design decisions that you must make for reverse lookup zones are very similar

to those of forward lookup zones Only the contents of the DNS zone records are different between forward and reverse lookup zones

Reverse Lookup Zone Types

You can include the same zone types for reverse lookup zones that you include for forward lookup zones The reverse lookup zones can be Active Directory integrated zones, traditional primary zones, or traditional secondary zones You can apply the same decision process discussed earlier in this module to reverse lookup zones

Dynamic Updates and Reverse Lookup Zones

You can enable dynamic updates to DNS by:

Enabling DNS clients running Windows 2000 to update DNS directly

Allowing DHCP to update the DNS records

Slide Objective

To introduce the design

decisions that are required

when including reverse

a domain name, you can

include reverse lookup

zones in your design

The following table lists the approaches to dynamically updating DNS and when to select which approach

Select this approach When you want to dynamically create

Windows 2000–based DNS clients directly updating DNS

Forward lookup records, host (A) records

Reverse lookup records, pointer (PTR) records DHCP directly updates DNS

on behalf of the DNS clients

Only forward lookup records, host (A) records

If you enable DNS clients running Windows 2000 to dynamically update

DNS directly, establishing permissions for secured updates to DNS becomes

more complex because you must assign permissions for each DNS client

Note

Connecting DNS to the Internet

Forwarding DNS Queries to Internet-based DNS Servers

Responding to DNS Queries from the Internet

Secured Private Network

DNS Server

Forward Queries Respond to Queries

Firewall

Firewall

Internet

Screened Subnet

DNS Server

The DNS servers within a private network must interact with servers on the Internet to resolve names To do this, the DNS servers in the private network forward queries to and respond to queries from Internet-based DNS servers

Forwarding DNS Queries to Internet-based DNS Servers

The DNS servers within the organization may forward requests to:

DNS servers provided by the Internet Service Provider (ISP) that the organization uses

Internet root DNS servers provided by the Internet

Responding to DNS Queries from the Internet

When organizations expose resources, such as www.microsoft.com, to the

Internet, the names and IP addresses of the servers hosting these resources must

be listed in a DNS server that is accessible from the Internet You can provide name resolution to these requests by:

Placing a DNS server in a screened subnet that contains the DNS entries for the resources Use this method if the resource names may change frequently and the organization wants to make the changes itself

Demanding that the ISP for the organization place the DNS entries in a DNS server that the ISP supports Use this method if the resource names change infrequently and the organization does not need to make the changes itself

‘

Slide Objective

To describe the interaction

between DNS servers within

the organization and

between Internet-based

DNS servers

Lead-in

DNS servers in a private

network need to forward

queries to and respond to

queries from Internet-based

DNS servers

Integrating with BIND and DNS Servers in Windows NT 4.0

Dynamic DNS Zone Updates

Windows 2000 DNS service treats BIND and Windows NT 4.0 DNS servers as traditional DNS servers BIND and Windows NT 4.0 DNS servers support:

Standard primary zones

Standard secondary zones

Delegated domains

If your network designs include BIND and Windows NT 4.0 DNS servers, you can make the same design decisions as you would with a Windows 2000 DNS server with the same zone type

Dynamic DNS Zone Updates

Dynamic DNS zone updates allow DNS client computers or DHCP servers to dynamically update DNS zone entries Dynamic DNS zone updates reduce the administration of DNS zones and eliminate errors that manually updating DNS zones introduce

The most common reason for including dynamic DNS zone updates in your network design is to support Active Directory Although not required, dynamic DNS zone updates are recommended if your DNS solution must support Active Directory

If your design includes dynamic DNS zone update, remember:

BIND versions 8.1.2 and later support dynamic DNS zone updates

Windows NT 4.0 DNS servers do not support dynamic DNS zone updates

RFC 2136 documents dynamic DNS zone update support

Unicode Characters

The DNS service in Windows 2000 supports the use of Unicode characters in DNS zones BIND DNS and Windows NT 4.0 servers support only RFC-compliant (ANSI) characters

If including BIND or Windows NT 4.0 DNS servers in your network design, you must enforce RFC-compliant characters on the DNS service in

Windows 2000 This enables the replication of zone information to the BIND or Windows NT 4.0 DNS servers

Non-RFC-Compliant Resource Records

Many vendors who implement BIND include vendor specific, compliant resource records in the DNS zone Normally, when the DNS service receives one of these resource records, the zone replication process stops If the BIND DNS zone includes non-RFC compliant resource records, you can specify that the DNS service in Windows 2000 ignore the records

non-RFC-SRV Record Types

SRV record types allow you to designate several servers as primary and backup servers SRV records are a special type of DNS round robin entries that are similar to mail exchange (MX) records used by Simple Mail Transfer Protocol (SMTP)

The most common reason for including SRV record types in your design is to support Active Directory

If your design includes SRV record types, remember:

BIND versions 4.9.6 and later support SRV record types

Windows NT 4.0 DNS servers do not support dynamic DNS zone updates

RFC 2052 documents SRV record type support

WINS and WINS-R Record Types

The DNS service in Windows 2000 and Windows NT 4.0 supports WINS forward lookup and reverse lookup record types (WINS and WINS-R) WINS and WINS-R record types enable the DNS server to submit queries to a WINS server and attempt resolution through WINS Normally, when you replicate these records to BIND DNS servers, they see the WINS and WINS-R records as invalid, non-RFC-compliant records

If your design includes the DNS service in Windows 2000 or Windows NT 4.0 that replicates to a BIND DNS server, you can specify that the WINS and WINS-R records are not replicated to the BIND DNS server

Note

Note

Integrating DNS and WINS

Designate a Subdomain for WINS Resolution

Specify WINS Server in Zone Configuration

Designate a Subdomain for WINS Resolution

Delegate Unresolved DNS Queries to a Subdomain

Specify WINS Server in Zone Configuration

In your network design, you can allow DNS clients to resolve host names found

in WINS, so that you do not need to create DNS zone entries for all of the computers in the organization In the existing Windows NT 4.0 networks, performing DNS queries, which are resolved by using WINS, does not require many changes to the existing network infrastructure

You can resolve host names found in WINS by forwarding unresolved DNS queries to a WINS server You can establish the forwarding of unresolved DNS queries to WINS on a zone-by-zone basis

Designating a Subdomain for WINS Resolution

To integrate a WINS resolution within your DNS design, designate a subdomain within the organization’s namespace that you will use as a placeholder for the WINS names Specify that the subdomain contains no entries, except for the WINS and WINS-R records

For organizations that have a separate private and public namespace, create the subdomain for WINS under the private namespace For organizations that have the same namespace for private and public name resolution, create the

subdomain for WINS at a level beneath the root of the organization

Delegating Unresolved DNS Queries to a Subdomain

For domain names that are within the organization’s namespace, if you want to:

Resolve names within WINS prior to other domains, specify that the DNS queries be forwarded to a delegated subdomain for WINS first

Resolve names within other domains prior to WINS, specify that the DNS queries be forwarded to a delegated subdomain for WINS last

Slide Objective

To describe how to include

DNS and WINS integration

in the design

Lead-in

If the existing network

includes WINS, your

network design can allow

DNS clients to resolve host

names found in WINS

Specifying WINS Server in Zone Configuration

To forward unresolved DNS queries to a WINS server, you enable WINS resolution on a zone A zone can resolve queries by using more than one WINS server You can specify the IP address of the WINS servers in the order that the servers are to be contacted To improve the availability of your DNS solution, include more than one WINS server in the list

Your organization may not replicate all WINS records between all WINS servers If your organization’s WINS database is divided across multiple WINS servers, you can create a unique DNS zone for each WINS server

For example, consider an organization that has a WINS server that includes WINS records only for Paris and another WINS server that includes WINS records only for London You can create a DNS zone for Paris and a DNS zone for London so that you can create different subdomain names for the Paris WINS server versus the London WINS server Conversely, you can create one DNS zone that could list both WINS servers so that the WINS resolution occurs beneath a single subdomain name

Strategies for Integrating into the Existing Namespace

Separate Public and Private Namespace

Separate Public and Private Namespace

Single Subdomain Within Namespace

Multiple Subdomains Within Namespace

No Changes to Namespace

Active Directory Integrated Zone

nwtraders.msft

public.nwtraders.msft private.nwtraders.msft

Traditional Zone

Traditional Zone

Existing DNS Namespace

The DNS zones provided by Windows 2000 are compatible with DNS zones on BIND, or other DNS services that do not run on Windows 2000 You can integrate the DNS zones provided by Windows 2000 into the existing namespace of an organization You need to integrate into the existing namespace if you are unable to specify a computer running Windows 2000 as the DNS root server for the organization

Many of the issues relating to the integration of DNS into an existing namespace are to provide a DNS infrastructure for Active Directory For further

information, please see Course 1561A: Designing a Microsoft Windows 2000

Directory Services Infrastructure

Separate Public and Private Namespace

You can integrate DNS into the existing namespace of an organization by creating separate public and private namespaces The existing namespace is

contained within the public portion of the namespace The DNS service in Windows 2000 would manage the private portion of the namespace

The benefits of a separate public and private namespace include:

Improved security because users and computers outside the organization do not have access to the private namespace

Minimal impact on the existing namespace and effort on the part of the current DNS administrators

Single Subdomain Within Namespace

Creating a single subdomain within the namespace is very similar to the separate public and private namespace strategy However, you do not divide the namespace into public and private portions Instead, specify that all

Windows 2000–based DNS servers reside beneath a single subdomain within the namespace

Slide Objective

To describe the strategies

for integrating DNS into an

existing DNS namespace

Lead-in

You need to integrate into

the existing namespace if

you are unable to specify a

The primary benefit of this strategy is that there is minimal impact on the existing namespace, and minimal effort put forth on the part of the current DNS administrators

For example, if the root name of the organization is nwtraders.msft, you could create a subdomain called windows.nwtraders.msft that contains all Microsoft

DNS servers and DNS clients

Multiple Subdomains Within Namespace

You can create multiple subdomains within the namespace if the organization is unable or unwilling to create subdomains close to the root domain If presented with this requirement, you can specify subdomains within lower portions of the namespace hierarchy The benefit of this approach is that higher portions of the namespace remain unchanged The consequence of this approach is that the existing DNS administrators need to create subdomains at multiple points in the namespace hierarchy

No Changes to Namespace

There are also instances in which the existing DNS servers manage all of the

primary DNS zones In this situation, the DNS zones managed by Windows 2000 are integrated as only secondary zones

Active Directory requires a Windows 2000 domain controller The difficulty for the designer is that the wizard for implementing Windows 2000 as a domain controller defaults to creating an Active Directory integrated zone If you cannot create a separate zone within the organization, you must integrate your first domain controller without the wizard

To integrate the first Windows 2000 domain controller, you can specify the following process:

1 Configure the computer running Windows 2000 as a standalone server

2 Ensure that the computer running Windows 2000 supports a secondary zone

to the exiting DNS zones

3 Configure the computer running Windows 2000 to perform dynamic updates to the existing DNS primary zone

If the existing DNS servers do not support dynamic updates, the DNS administrators must manually add records to the primary zone For more information about the records that you must add, see the Windows 2000 deployment guide

4 Promote the computer running Windows 2000 to a domain controller

If the existing DNS servers do not support SRV records, then the existing DNS servers cannot support Active Directory You must upgrade the version of DNS running on the existing DNS servers or replace the servers with DNS servers that support SRV records

Note

Note

Discussion: Designing DNS Solutions

New York Washington DC

Atlanta Kansas City

As you create DNS designs, you need to translate information relating to the solution into design requirements This discussion involves designing basic DNS solutions During the discussion, note any ideas presented by other students in the class that are relevant to the DNS solution

The following scenario describes the current network configuration of a telemarketing company Read the scenario and answer the questions Be prepared to discuss your answers with the class

Scenario

A telemarketing research company collects demographics on potential consumers for other organizations’ products and services At each location, market research analysts conduct telephone interviews to determine the purchasing decisions of the target consumer profile Each location has a dedicated T1 or T3 connection to the Internet

The market research analysts use a Web-based application for call tracking and recording of consumer responses The organizations that are funding the study can examine the results over the Internet by using a Web-based application, or access the data directly from a Microsoft SQL Server™ located in the Kansas City location

solution, you must decide on

DNS server placement, and

integration with existing

DNS servers

Delivery Tip

Read the scenario to the

students and review the

questions as a group Give

the students time to

consider their answers and

then lead a discussion

based on their responses

Remind the students that

there can be more than one

possible solution to the

scenario

You could make the following recommendations:

Place two DNS servers at each geographic location

Use Active Directory integrated zones to store DNS information

Specify that the DHCP servers at each location dynamically update the DNS zones

2 The existing DNS services within the organization are based on UNIX-based BIND DNS servers Each location has a director of information services who makes technology decisions for the respective location Some of the directors are unwilling to replace the existing BIND DNS server How would this affect your DNS solution?

You would need to use traditional DNS zones in the locations where the directors are unwilling to replace the existing BIND DNS servers For delegated zones, the Windows 2000–based DNS server needs to support primary or Active Directory integrated zones as delegated domains

For zones where the master copy of the zone information is on a BIND DNS server, the Windows 2000–based DNS server needs to use

secondary zones that replicate from the BIND DNS servers

To support Active Directory, the version of the BIND DNS server needs

to be 4.9.6 or later To support dynamically updated DNS zones, which

is recommended for Active Directory support, BIND 8.1.2 or later is required

To support incremental zone transfers, the version of the BIND needs

to be 8.2.1 or later

Securing DNS

Securing Dynamically Updated DNS Zones

Securing DNS Zone Replication

Integrating DNS into Screened Subnets

You can secure DNS access from private and public networks Within a private network, you can secure DNS by restricting updates to dynamically updated DNS zones Over public networks, you can secure DNS zone replication traffic

by using Internet Protocol Security (IPSec), virtual private network (VPN) tunnels, and Active Directory To protect DNS servers exposed to the Internet, you can restrict DNS zone information and use screened subnets

Slide Objective

To provide an overview of

the methods used for

enhancing the security of

DNS designs

Lead-in

You can secure DNS

access from private and

public networks