Module 6:Designing Name

Resolution

Module Overview

• Collecting Information for a Name Resolution Design

• Designing a DNS Server Strategy

• Designing a DNS Namespace

• Designing DNS Zone Implementation

• Designing Zone Replication and Delegation

Lesson 1: Collecting Information for a Name Resolution Design

• Physical Location Considerations for a Name Resolution Design

• NetBIOS Resources

Physical Location Considerations for a Name Resolution Design

Type Physical location consideration

Locations • Number of locations

Hosts • Number of hosts at each location

DNSservers

• Existence of any prior DNS servers

ActiveDirectory

• Existence of, or plans to include an Active Directory infrastructure

Clientcomputers

• Location of client computers in relation to a WINS server

NetBIOS Resources

Identify systems and applications that rely on NetBIOS for name resolution, including:

Windows 98, Windows NT

Windows workgroups that do not implement Active Directory

Some applications and services

• Determine the impact of removing NetBIOS

• If NetBIOS is used by a critical application, continue

to use WINS

Lesson 2: Designing a DNS Server Strategy

• How Clients Resolve Host Names

• Consideration for Placing DNS Servers

• DNS Server Roles

• Securing DNS Servers

How Clients Resolve Host Names

Clients can use the following methods to resolve host names:

• DNS cache (includes contents of HOSTS file)• DNS server• NetBIOS name resolution methods

DNS name resolution is controlled by:

• Root hints• Caching• Delegation• Forwarding• Conditional forwarding

Considerations for Placing DNS Servers

For DNS server placement, consider:

• Network traffic over WAN links

• Availability, if a WAN link fails

• Redundancy, if a DNS server fails

• Client impact, if DNS is unavailable

• Application impact, if DNS is unavailable

DNS Server Roles

Role Situation

Caching-only servers

• A remote office has a limited amount of available bandwidth

Non-recursive servers

• You have Internet-facing DNS that are authoritative for one or more zones

Forward-only servers

• You want to manage the DNS traffic between your network and the Internet

Conditional forwarders

• You want DNS clients on separate networks to resolve each others’ names without having to query the DNS server on the Internet

Securing DNS Servers

Options for securing Microsoft DNS servers:

• Firewalls, including Windows Firewall

• Restricting zone transfers

• Securing dynamic updates

• Active Directory Integrated zones

• Forwarding, to limit Internet name resolution

Lesson 3: Designing a DNS Namespace

• DNS Namespace Options

• Selecting DNS Namespace Option

• Hosting Options for DNS

• Guidelines for Designing DNS Namespaces

DNS Namespace Options

Same Namespace

Same Namespace

SubdomainSubdomain Unique Namespace

Unique Namespace

nwtraders.com nwtraders.com nwtraders.com

nwtraders.localcorp.nwtraders.comnwtraders.com

InternalNamespace

InternalNamespace

InternalNamespace

InternalNamespace

InternalNamespace

InternalNamespace

Public DNS NamespacePublic DNS Namespace

Public DNS NamespacePublic DNS Namespace

Public DNS NamespacePublic DNS Namespace

Selecting DNS Namespace Option

Unique namespace:

Record synchronization is not required

Existing DNS infrastructure is unaffected

Clearly delineates between internal and external DNS

Same namespace:• Internal records should not be available externally

• Records may need to be synchronized between internal and external DNS

Subdomain:• Record synchronization is not required

• Contiguous namespace is easy to understand

Hosting Options for DNS

• External and internal DNS are hosted on separate servers

• One external server host resolves local records only

• One external server resolves non-local records only

Split-Split DNS

• External and internal DNS are hosted on separate servers

• Internal DNS servers can forward Internet DNS requests

• Increased security over complete DNS

Split DNS

• All internal and external on a single server

• Simple deployment

DescriptionOption

Complete DNS

Guidelines for Designing DNS Namespaces

• Carefully select your internal namespace beforeinstalling Active Directory

• Use an internal domain that is a sub-domain of theexternal domain, for simplicity

• Use unrelated namespaces if you cannot create yourinternal domain as a subdomain on the externaldomain

• Avoid using the same internal and external namespace

Lesson 4: Designing DNS Zone Implementation

• Selecting Zone Types

• Selecting Zone Data Location

• Zone Security Considerations

Selecting Zone Types

Zone type Available disk locations

Zone information

Use this zone to:

Primary

Active DirectoryReplicated to other Active Directory-integrated zones

• Act as the point of update for the zone

• Have a read/write copy of the zone information

• Administer zone information separately

FileTransferred to secondary zone servers

Secondary FileProvides limited fault tolerance

• Have a read-only copy of the zone information

• Improve availability of primary zones

• Improve performance at local and remote locations

Stub

Active Directory Periodically queries the target zone name servers for updates

• Improve the efficiency of name resolution

• Simplify DNS administration

File

Selecting Zone Data Location

• Used by Active Directory-integrated zones

• Automatic replication to all domain controllers

• Allows multiple servers to update zone dataActive Directory

• Used to integrate with traditional DNS

• Active Directory-integrated zones act as primary to traditional secondary zones

Combination

• Used by traditional primary and secondary zones

• Chosen for integration into existing infrastructure

• Does not require server to be a DCDisk

Zone Security Considerations

• Secured dynamic updates in Active Directory

• Dynamic DNS updates from DHCP

• DNS client dynamic updates

• Zone permissions

Lesson 5: Designing Zone Replication and Delegation

• Zone Replication

• Zone Transfers

• Zone Delegation

Zone Replication

• Performing incremental replication between DNS servers• Adjusting the Active Directory replication schedule

Active Directory–integrated zone

• Replicating between primary and secondary zones• Performing an incremental rather than a complete zone

transfer

Traditional DNS zone

Replication optionsZone type

Active Directory–Integrated ZonesActive Directory–Integrated Zones Traditional DNS ZonesTraditional DNS Zones

Active Directory-Integrated ZoneActive Directory-Integrated Zone

Active Directory-Integrated ZoneActive Directory-Integrated Zone

Primary ZonePrimary Zone

Secondary ZoneSecondary Zone

ReplicationReplication Zone Transfer

Zone Transfer

Zone Transfers

Reduce zone transfer impact by:

• Using fast zone transfers to compress data

• Replicating outside of peak hours

• Using incremental zone replication

Security options for zone transfers are:

• Restricting zone transfers

• Securing zone transfers with VPN or IPSec

• Using Active Directory-integrated zones to automatically secure replication