module 6: designing name resolution. module overview collecting information for a name resolution...
TRANSCRIPT
Module 6:Designing Name
Resolution
Module Overview
• Collecting Information for a Name Resolution Design
• Designing a DNS Server Strategy
• Designing a DNS Namespace
• Designing DNS Zone Implementation
• Designing Zone Replication and Delegation
Lesson 1: Collecting Information for a Name Resolution Design
• Physical Location Considerations for a Name Resolution Design
• NetBIOS Resources
Physical Location Considerations for a Name Resolution Design
Type Physical location consideration
Locations • Number of locations
Hosts • Number of hosts at each location
DNSservers
• Existence of any prior DNS servers
ActiveDirectory
• Existence of, or plans to include an Active Directory infrastructure
Clientcomputers
• Location of client computers in relation to a WINS server
NetBIOS Resources
Identify systems and applications that rely on NetBIOS for name resolution, including:
Windows 98, Windows NT
Windows workgroups that do not implement Active Directory
Some applications and services
• Determine the impact of removing NetBIOS
• If NetBIOS is used by a critical application, continue
to use WINS
Lesson 2: Designing a DNS Server Strategy
• How Clients Resolve Host Names
• Consideration for Placing DNS Servers
• DNS Server Roles
• Securing DNS Servers
How Clients Resolve Host Names
Clients can use the following methods to resolve host names:
• DNS cache (includes contents of HOSTS file)• DNS server• NetBIOS name resolution methods
DNS name resolution is controlled by:
• Root hints• Caching• Delegation• Forwarding• Conditional forwarding
Considerations for Placing DNS Servers
For DNS server placement, consider:
• Network traffic over WAN links
• Availability, if a WAN link fails
• Redundancy, if a DNS server fails
• Client impact, if DNS is unavailable
• Application impact, if DNS is unavailable
DNS Server Roles
Role Situation
Caching-only servers
• A remote office has a limited amount of available bandwidth
Non-recursive servers
• You have Internet-facing DNS that are authoritative for one or more zones
Forward-only servers
• You want to manage the DNS traffic between your network and the Internet
Conditional forwarders
• You want DNS clients on separate networks to resolve each others’ names without having to query the DNS server on the Internet
Securing DNS Servers
Options for securing Microsoft DNS servers:
• Firewalls, including Windows Firewall
• Restricting zone transfers
• Securing dynamic updates
• Active Directory Integrated zones
• Forwarding, to limit Internet name resolution
Lesson 3: Designing a DNS Namespace
• DNS Namespace Options
• Selecting DNS Namespace Option
• Hosting Options for DNS
• Guidelines for Designing DNS Namespaces
DNS Namespace Options
Same Namespace
Same Namespace
SubdomainSubdomain Unique Namespace
Unique Namespace
nwtraders.com nwtraders.com nwtraders.com
nwtraders.localcorp.nwtraders.comnwtraders.com
InternalNamespace
InternalNamespace
InternalNamespace
InternalNamespace
InternalNamespace
InternalNamespace
Public DNS NamespacePublic DNS Namespace
Public DNS NamespacePublic DNS Namespace
Public DNS NamespacePublic DNS Namespace
Selecting DNS Namespace Option
Unique namespace:
Record synchronization is not required
Existing DNS infrastructure is unaffected
Clearly delineates between internal and external DNS
Same namespace:• Internal records should not be available externally
• Records may need to be synchronized between internal and external DNS
Subdomain:• Record synchronization is not required
• Contiguous namespace is easy to understand
Hosting Options for DNS
• External and internal DNS are hosted on separate servers
• One external server host resolves local records only
• One external server resolves non-local records only
Split-Split DNS
• External and internal DNS are hosted on separate servers
• Internal DNS servers can forward Internet DNS requests
• Increased security over complete DNS
Split DNS
• All internal and external on a single server
• Simple deployment
DescriptionOption
Complete DNS
Guidelines for Designing DNS Namespaces
• Carefully select your internal namespace beforeinstalling Active Directory
• Use an internal domain that is a sub-domain of theexternal domain, for simplicity
• Use unrelated namespaces if you cannot create yourinternal domain as a subdomain on the externaldomain
• Avoid using the same internal and external namespace
Lesson 4: Designing DNS Zone Implementation
• Selecting Zone Types
• Selecting Zone Data Location
• Zone Security Considerations
Selecting Zone Types
Zone type Available disk locations
Zone information
Use this zone to:
Primary
Active DirectoryReplicated to other Active Directory-integrated zones
• Act as the point of update for the zone
• Have a read/write copy of the zone information
• Administer zone information separately
FileTransferred to secondary zone servers
Secondary FileProvides limited fault tolerance
• Have a read-only copy of the zone information
• Improve availability of primary zones
• Improve performance at local and remote locations
Stub
Active Directory Periodically queries the target zone name servers for updates
• Improve the efficiency of name resolution
• Simplify DNS administration
File
Selecting Zone Data Location
• Used by Active Directory-integrated zones
• Automatic replication to all domain controllers
• Allows multiple servers to update zone dataActive Directory
• Used to integrate with traditional DNS
• Active Directory-integrated zones act as primary to traditional secondary zones
Combination
• Used by traditional primary and secondary zones
• Chosen for integration into existing infrastructure
• Does not require server to be a DCDisk
Zone Security Considerations
• Secured dynamic updates in Active Directory
• Dynamic DNS updates from DHCP
• DNS client dynamic updates
• Zone permissions
Lesson 5: Designing Zone Replication and Delegation
• Zone Replication
• Zone Transfers
• Zone Delegation
Zone Replication
• Performing incremental replication between DNS servers• Adjusting the Active Directory replication schedule
Active Directory–integrated zone
• Replicating between primary and secondary zones• Performing an incremental rather than a complete zone
transfer
Traditional DNS zone
Replication optionsZone type
Active Directory–Integrated ZonesActive Directory–Integrated Zones Traditional DNS ZonesTraditional DNS Zones
Active Directory-Integrated ZoneActive Directory-Integrated Zone
Active Directory-Integrated ZoneActive Directory-Integrated Zone
Primary ZonePrimary Zone
Secondary ZoneSecondary Zone
ReplicationReplication Zone Transfer
Zone Transfer
Zone Transfers
Reduce zone transfer impact by:
• Using fast zone transfers to compress data
• Replicating outside of peak hours
• Using incremental zone replication
Security options for zone transfers are:
• Restricting zone transfers
• Securing zone transfers with VPN or IPSec
• Using Active Directory-integrated zones to automatically secure replication