Planning DNS

8/13/2019 Planning DNS

1/70

Contents

Overview 1

Lesson: Planning DNS Servers 2

Multimedia: How DNS Clients Resolve

Names 3

Multimedia: Resolving Names with a DNS

Server 8

Lesson: Planning a Namespace 18

Multimedia: A Planning DNS NamespaceStrategy 19

Lesson: Planning Zones 31

Lesson: Planning Zone Replication and

Delegation 42

Lesson: Integrating DNS and WINS 53

Multimedia: Integrating DNS and WINS 54

Lab A: Planning a DNS Strategy 62

Module 5: Planning aDNS Strategy


2/70

Information in this document, including URL and other Internet Web site references, is subject to

change without notice. Unless otherwise noted, the example companies, organizations, products,

domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,

and no association with any real company, organization, product, domain name, e-mail address,

logo, person, place or event is intended or should be inferred. Complying with all applicable

copyright laws is the responsibility of the user. Without limiting the rights under copyright, no

part of this document may be reproduced, stored in or introduced into a retrieval system, or

transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or

otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

2003 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows NT, Active Directory, MSDN, PowerPoint, SharePoint,

Visual Basic, and Windows Media are either registered trademarks or trademarks of Microsoft

Corporation in the U.S.A. and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their

respective owners.


3/70


4/70

iv Module 5: Planning a DNS Strategy

How to Teach This ModuleThis section contains information that will help you to teach this module.

How To Pages, Guidelines and Practices, and LabsExplain to the students how the How To pages, practices, and labs are designed

for this course. A module includes two or more lessons. Most lessons includeHow To pages and a practice. After completing all of the lessons for a module,

the module concludes with a lab.

The How To pages are designed for the instructor to demonstrate how to do atask. The students do not perform the tasks on the How To page with the

instructor. They will use these steps to perform the practice at the end of eachlesson.

The guidelines pages are pages that provide you with the key decision pointsfor the topic of the lesson. You will use these guidelines as a reinforcement ofthe lesson content and objectives.

After you have covered the contents of the topic, and demonstrated the How To

procedures for the lesson, explain that a practice will give students a chance forhands-on learning of all the tasks discussed in the lesson.

At the end of each module, the lab enables the students to practice the tasks that

are discussed and applied in the entire module.

Using scenarios that are relevant to the job role, the lab gives students a set ofinstructions in a two-column format. The left column provides the task, for

example: Create a group. In the right column are specific instructions that thestudents need to perform the task, for example: From Active Directory Usersand Computers, double-click the domain node.

An answer key for each lab exercise is located on the Student Materialscompact disc, in case the students need step-by-step instructions to complete thelab. They can also refer to the practices and How To pages in the module.

Lesson: Planning DNS Servers

This section describes the instructional methods for teaching this lesson.

When you introduce this lesson, emphasize that the planning decisions studentswill make for DNS servers are influenced by whether or not they will use the

Active Directorydirectory service.

When you teach this topic, point out that there are several issues that affect the

placement of DNS servers. These include client considerations, the physicalstructure of the network, and the number of DNS servers on the network that

perform different roles.

How To pages

Guidelines pages

Practices

Labs

Overview

Determining DNS ServerPlacement


5/70

Module 5: Planning a DNS Strategy v

When you discuss DNS server roles, tell students that they can use servers in

any or all of these roles in an environment to provide a DNS solution.

When you teach this topic, emphasize that it is unlikely that students would

choose to implement low-level security on a DNS server. Also, clarify thatthese security levels are not discrete choices or setting labels. Instead they aregeneral categories of security measures that the students implement using a

variety of settings.

Lesson: Planning a NamespaceThis section describes the instructional methods for teaching this lesson.

When you discuss DNS namespace options, point out that .local is not a valid

domain suffix on the Internet; it is only valid internally. If the students choosean internal namespace that is valid on the Internet, they should register it.

Lesson: Planning ZonesThis section describes the instructional methods for teaching this lesson.

When you discuss zone types, tell the students that in Microsoft WindowsServer 2003, they select zone types first and then choose the storage location.

To clarify this, you may want to demonstrate creating a new zone by using thewizard in Windows Server 2003.

In this topic, recommend the use of an Active Directory zone wheneverappropriate. In most cases, an Active Directory zone is more secure and easier

to manage than a traditional zone.

Lesson: Planning Zone Replication and DelegationThis section describes the instructional methods for teaching this lesson.

Emphasize that in an exclusive Active Directory environment, if the students

use Active Directoryintegrated zones, they will not require secondary zones.

When you discuss the necessity of planning for zone delegation, emphasize that

the students should also have a plan for forwarding.

Lesson: Integrating DNS and WINSThis section describes the instructional methods for teaching this lesson.

When you introduce this lesson, explain to students that they will need tointegrate DNS and Windows Internet Name Service (WINS) when they have

DNS clients that need to query names that are only located in WINS.

Point out to students that modifying cache timeout settings is an optimization

step and that you will discuss optimizing in more detail in Module 6,Optimizing and Troubleshooting DNS.

DNS Server Roles

Levels of SecuringMicrosoft DNS Servers

DNS NamespaceOptions

Selecting Zone Types

Selecting Zone DataLocation

When to Create aSecondary Zone

Zone Delegation

Overview

Modifying CacheTimeout Settings


6/70

vi Module 5: Planning a DNS Strategy

Lab A: Planning a DNS Strategy

Before beginning the lab, students should have completed all of the practices.

Remind the students that they can return to guidelines and content pages in the

module for assistance. The answer key for each lab is provided on the Student

Materials compact disc.

Customization Information

This section identifies the lab setup requirements for a module and theconfiguration changes that occur on student computers during the labs. Thisinformation is provided to assist you in replicating or customizing Microsoft

Official Curriculum (MOC) courseware.

The lab in this module is also dependent on the classroom configuration that is

specified in the Customization Information section at the end of theAutomated

Classroom Setup Guidefor Course 2278,Planning and Maintaining a

Microsoft Windows Server 2003 Network Infrastructure.

Lab Setup

There are no lab setup requirements that affect replication or customization.

Lab ResultsThere are no configuration changes on student computers that affect replication

or customization.


7/70


8/70

2 Module 5: Planning a DNS Strategy

Lesson:Planning DNS Servers

*****************************ILLEGAL FOR NON-TRAINER USE******************************

This lesson covers DNS server configurations and properties. In addition, thelesson discusses security for DNS servers.

After completing this lesson, you will be able to:

Determine DNS server configurations.

Determine DNS server properties.

Determine DNS Security (DNSSEC) support.

Determine User Datagram Protocol (UDP) message size.

Introduction

Enabling objectives


9/70

Module 5: Planning a DNS Strategy 3

Multimedia: How DNS Clients Resolve Names


The objective of this presentation is to explain how DNS clients resolve hostnames to IP addresses.

You will learn how to:

Explain the functionality of a DNS server in a routed network.

Identify a fully qualified domain name.

Explain the process for using a DNS server to resolve a HOST name to an

IP address.

When viewing this presentation, you should consider the following questions:

What is the function of a DNS server?

How does a DNS server process fully qualified domain names?

How does a DNS server resolve a HOST name to an IP address?

Introduction

Objectives

Key questions


10/70


Determining DNS Server Requirements


After you have defined your DNS plan, you need to determine the serverrequirements. You will need to consider several factors when planning your

DNS server. You should:

Perform capacity planning and review the server hardware requirements.

Determine the number of DNS servers you need and their roles in your

network. When deciding the number of DNS servers to use, you need to

decide the servers that will host primary and secondary copies of the zones.

Also, if you are using the Active Directorydirectory service, determinewhether the server computer performs as a domain controller or a member

server for the domain.

Decide where you are going to place DNS servers on your network for

traffic loads, replication, and fault tolerance.

Decide whether to use only DNS servers running MicrosoftWindows

Server 2003 for all of your DNS servers or whether you will employ a

mixture of Windows and other DNS server implementations.

Introduction


11/70


Planning and deploying DNS servers on your network involves examining

several aspects of the network and the capacity requirements for any DNSservers that you intend to use in it. Consider the following factors when

planning server capacity:

Determine the number of zones that the DNS server is expected to load and

host.

For each zone that the server is loading for service, determine the size of the

zone based on the size of the zone file or the number of resource records

that are used in the zone.

For a multiple-homed (more than one IP address) DNS server, determine thenumber of addresses that are to be enabled for listening to and servicing

DNS clients on each of the servers connected subnets.

Define the total number of client DNS query requests that a DNS server is

expected to receive and service.

In many cases, adding more RAM to a DNS server can result in noticeable

performance improvement. This improvement is because the DNS server

service fully loads all of its configured zones into memory at startup. If yourserver is operating and loading a large number of zones, and if dynamic updates

occur frequently for zone clients, additional memory can be helpful.

Keep in mind that, for typical usage, the DNS server consumes system memory

as follows:

Approximately 4 megabytes (MB) of RAM is used when the DNS server is

started without any zones.

The DNS server consumes additional server memory for each zone or

resource record that is added to the server.

It is estimated that an average of approximately 100 bytes of server memory

are used for every resource record that is added to a server zone. For

example, if a zone containing 1000 resource records is added to a server, itwill require approximately 100 kilobytes (KB) of server memory.

You can begin determining your server plans by reviewing sample DNS server

performance test results collected by the Windows Server 2003 DNSdevelopment and testing teams. In addition, you can use DNS serverrelated

counters that are provided for use with Windows Server 2003 monitoring toolsto obtain your own performance measurements for the DNS servers that are

running Windows Server 2003 that you deploy on your network.

The preceding recommendations are not intended to indicate themaximum performance or limitations for DNS servers that are running

Windows Server 2003.

These numbers are approximate and can be influenced by the type of theresource records that are entered in zones, the number of resource records that

have the same owner name, and the number of zones in use at a specific DNSserver.

Planning server capacity

DNS server systemrequirements

Important


12/70


Determining DNS Server Placement


You need to consider several factors when deciding where to place your DNSservers. You need to determine not only where to place the servers, but also the

number of servers you need and their system configuration.

In general, place your DNS servers at a location on your network that is mostaccessible to your clients. It is often most practical to use a DNS server on each

subnet. Consider the following factors when deciding where to place a DNSserver:

If you are deploying DNS to support Active Directory, identify if the DNS

server computer is also a domain controller or is likely to be promoted toone in the future.

If the DNS server stops responding, determine if its local clients are able to

gain access to an alternate DNS server.

If the DNS server is located on a subnet that is remote to some of its clients,

identify the other DNS servers or name resolution options that are available

if the routed connection stops responding.

For DNS server installations in which the use of Active Directory is an

issue, review special interoperability issues and installation details.

For all DNS server installations, including those in which the use of Active

Directory is not an issue, it can be useful to apply the following server

placement and planning guidelines.

Introduction

DNS server placement


13/70


When determining the number of DNS servers you need to use, assess the effect

of zone transfers and DNS query traffic on slower links in your network.Although DNS is designed to help reduce broadcast traffic between local

subnets, it does create some traffic between servers and clients. You shouldreview this traffic, particularly when implementing DNS in complexly routed

LAN or WAN environments.

Consider the effects of zone transfer over slower links such as those typicallyused for a WAN connection. Although the DNS service supports incremental

zone transfers, and Windows Server 2003 DNS clients and servers can cacherecently used names, traffic can still be an issue particularly when shortened

Dynamic Host Configuration Protocol (DHCP) leases result in more frequentdynamic updates in DNS. One option for dealing with remote locations on

WAN links is to set up a DNS server at these locations to provide caching-onlyDNS service.

With most installations, you should have at least two server computers hosting

each of your DNS zones for fault tolerance. DNS was designed to have twoservers for each zone: one as the primary server and the other as a backup orsecondary server. Before deciding the number of servers you will use, you

should first assess the level of fault tolerance you need for your network.

If you have a routed LAN and high-speed links that are fairly reliable, youmight be able to use one DNS server for a larger, multiple subnetted networkarea. If you have a large number of client nodes on a single subnet design, you

might want to add more than one DNS server to the subnet to provide backupand failover in case the preferred DNS server stops responding.

When using only a single server running Windows Server 2003 on asmall LAN in a single-subnet environment, you can configure the single serverto simulate both the primary and secondary servers for a zone.

How many serversshould you have?

DNS server placementexample

Note


14/70


Multimedia: Resolving Names with a DNS Server


The objective of this presentation is to explain the process for resolving nameswith a DNS server.


Explain the functionality of a DNS server.

Define the process for name resolution using a DNS server.

Identify the query types.

Explain DNS and WINS integration.


What are the two types of queries that a resolver can make to a DNS server?

Why was the special zone in-addr.arpa created?

What is a pointer (PTR) record?

How do forward queries resolve host names?

How do reverse queries resolve host names?

Introduction

Objectives

Key questions


15/70


16/70


When a remote office has a limited amount of available bandwidth for

connecting to a corporate office, a caching-only server should be configured atthe remote office to send recursive queries to a DNS server at the corporate

office. A recursive query is one in which the DNS server assumes the fullworkload and responsibility for providing a complete answer to the query. The

DNS server at the corporate office is better equipped to handle recursive queries

because it has a greater amount of available bandwidth for connecting to theInternet or an intranet.

A non-recursiveserver is a DNS server on which recursion has been disabled.This prevents the server from using recursion to resolve names on behalf of

clients. The server is also prevented from forwarding requests. If a non-recursive server is unable to resolve a name directly, it returns a negative

response to the query.

You should disable recursion on Internet-facing DNS servers that areauthoritative for one or more zones. This will allow the DNS server to respond

to queries from other DNS servers for your zone information but will preventInternet clients from using your DNS server to resolve other domain names onthe Internet. You can also disable recursion if you want to restrict your clients

to resolving names internal to your organization.

When a DNS server that is configured to use forwarders cannot resolve a querylocally or by using its forwarders, the server attempts to resolve the query byusing standard recursion. You can also configure a DNS server to not perform

recursion after the forwarders fail. In this configuration, the server does notattempt any further recursive queries to resolve the name. Instead, if the server

does not receive a successful query response from any of the servers that areconfigured as forwarders, it fails the query. A DNS server that is configured in

this manner is called a forward-only DNS server. If all forwarders for a name inthe query do not respond to a forward-only DNS server, that DNS server does

not attempt recursion.

Unlike a non-recursive DNS server, a forward-only DNS server builds up acache relating to the domain name and uses this cache to attempt to resolve host

names.

You use forwarders to manage the DNS traffic between your network and theInternet by configuring the firewall used by your network to allow only one

DNS server to communicate with the Internet.

Non-recursive servers

Forward-only servers


17/70


A conditional forwarderis a DNS server that is used to forward DNS queries

according to the DNS domain name in the query.

The conditional forwarder setting for a DNS server consists of the following

elements:

The domain names for which the DNS server will forward queries.

One or more DNS server IP addresses for each domain name specified.

A DNS server that is configured to use a forwarder behaves differently than aDNS server that is not configured to use a forwarder. A DNS server configured

to use a forwarder behaves as follows:

When the DNS server receives a query, it attempts to resolve this query by

using the primary and secondary zones that it hosts and its cache.

If the query cannot be resolved by using this local data, the server forwardsthe query to the DNS server that is designated as a forwarder.

The DNS server waits briefly for an answer from the forwarder before

attempting to contact the DNS servers that are specified in its root hints.

When a DNS server forwards a query to a forwarder, it sends a recursive

query to the forwarder. This is different than the iterative query that a DNS

server sends to another DNS server during standard name resolution (that is,

name resolution that does not involve a forwarder).

In situations in which you want DNS clients in separate networks to resolveeach others names without having to query DNS servers on the Internet, you

can configure the DNS servers in each network to forward queries for names inthe other network. DNS servers in one network will forward names for clients

in the other network to a specific DNS server that will build up a large cache ofinformation about the other network. When forwarding in this way, you create adirect point of contact between the two networks DNS servers, reducing the

need for recursion.

Conditional forwarders


18/70


Levels of Securing Microsoft DNS Servers


There are three levels of DNS security. You need to determine the appropriatesecurity level for your network based on your organizations needs. The

following three levels of DNS security will help you understand your currentDNS configuration and enable you to increase your organizations DNS

security.

Low-level security is a standard DNS deployment without any securityprecautions configured. You deploy this level of DNS security only in network

environments in which there is no concern for the integrity of your DNS data orin a private network in which there is no threat of external connectivity.

When you implement low-level security:

Your organizations DNS infrastructure is fully exposed to the Internet.

Standard DNS resolution is performed by all DNS servers in your network.

All DNS servers are configured with root hints pointing to the root serversfor the Internet.

All DNS servers permit zone transfers to any server.

All DNS servers are configured to listen on all of their IP addresses.

Cache pollution prevention is disabled on all DNS servers.

Dynamic updating is allowed for all DNS zones.

UDP and TCP/IP port 53 is open on your network firewall for both sourceand destination addresses.

Introduction

Low-level security


19/70


Medium-level security uses the DNS security features that are available without

running DNS servers on domain controllers and storing DNS zones in ActiveDirectory.

When you implement medium-level security:

Your organizations DNS infrastructure has limited exposure to the Internet.

All DNS servers are configured to use forwarders to point to a specific list

of internal DNS servers when they cannot resolve names locally.

All DNS servers limit zone transfers to servers listed in the name server(NS) resource records in their zones.

DNS servers are configured to listen on specified IP addresses.

Cache pollution prevention is enabled on all DNS servers.

Dynamic updating is not allowed for any DNS zones.

Internal DNS servers communicate with external DNS servers through the

firewall, allowing only a limited list of source and destination addresses.

External DNS servers in front of your firewall are configured with root hints

pointing to the root servers for the Internet.

All Internet name resolution is performed by using proxy servers and

gateways.

High-level security uses the same configuration as medium-level security, in

addition to the security features that are available when the DNS server serviceis running on a domain controller and DNS zones are stored in Active

Directory. In addition, high-level security completely eliminates DNScommunication with the Internet. This is not a typical configuration, but it isrecommended whenever Internet connectivity is not required.

When you implement high-level security:

Your organizations DNS infrastructure allows no Internet communication

with internal DNS servers.

Your network uses an internal DNS root and namespace where all authority

for DNS zones is internal.

DNS servers that are configured with forwarders use internal DNS server IPaddresses only.

All DNS servers limit zone transfers to specified IP addresses.

DNS servers are configured to listen on specified IP addresses.

Cache pollution prevention is enabled on all DNS servers.

Internal DNS servers are configured with root hints pointing to the internal

DNS servers hosting the root zone for your internal namespace.

All DNS servers are running on domain controllers. A discretionary access

control list (DACL) is configured on the DNS Server service to allow only

specific individuals to perform administrative tasks on the DNS server.

All DNS zones are stored in Active Directory. A DACL is configured to

allow only specific individuals to create, delete, or modify DNS zones.

Medium-level security

High-level security


20/70


DACLs are configured on DNS resource records to allow only specific

individuals to create, delete, or modify DNS data.

Secure dynamic updating is configured for DNS zones, except the top-level

and root zones, which do not allow dynamic updates at all.

For additional information about DNS security threats, see the followingtopic in the DNS help files: Security Information for DNS.Note


21/70


Guidelines for Planning a DNS Server


The following guidelines are recommended for planning a DNS server.

Planning and deploying DNS servers on your network involve defining the

server capacity that your enterprise requires and determining the DNS serverconfiguration.

When determining server placement, you need to determine the number of

servers and their placement. This depends on whether you implement ActiveDirectory and the connection speed between offices.

Your DNS server can have any of several different functions. You need todetermine if you will employ a caching-only solution, a forward-only server,

conditional forwarders, or stub zones. Each of the options has uniquecharacteristics and specialized performance.

Finally, you need to determine whether to implement high-level, medium-level,

or low-level security based on your DNS configuration and organizationalneeds.

Introduction

Determine serverrequirements

Determine DNS serverplacement

Determine server

functionality

Determine the level ofsecurity to implement


22/70


Practice: Planning DNS Server Security


In this practice, you will plan and discuss the challenges of securing a DNSserver configuration.

The objective of this practice is to plan the DNS server security.

1. Read the scenario.

2. Prepare to discuss the challenges of this task in a post-practice discussion.

You are a DNS consultant for Contoso, Ltd, a fast-growing custom automobileparts distributor and manufacturer. The company recently completed a security

review by a security consulting firm and was warned that its DNS server wasvulnerable to attack because its firewall allowed DNS traffic to and from anyserver. All of Contoso, Ltds DNS servers were allowed direct Internet

communication through the firewall.

The DNS design document has been changed to read as follows:

The firewall will only allow DNS traffic out to the Internet from the one DNS

server on the screened subnet. The only DNS traffic allowed from the intranetwill be from the three DNS servers on the corporate network to the DNS server

on the screened subnet.

Introduction

Objective

Instructions

Scenario


23/70


24/70


Lesson:Planning a Namespace


This lesson discusses concepts and required decisions for planning anamespace.


Examine an existing network environment for factors that might affect DNS

design.

Determine the need for Internet access and multiple namespaceconsiderations.

Determine namespace design.

Introduction

Objectives


25/70


Multimedia: A Planning DNS Namespace Strategy


The objective of this presentation is to provide guidelines for planning a DNSnamespace.


Explain how to separate the internal and external namespaces.

Apply the guidelines for integrating the Active Directory namespace and

DNS namespace.

Explain the importance of choosing a unique name for an internalnamespace.

Decide how the public and private namespaces will be related.

Explain the importance of planning a hierarchal namespace.


How will you integrate your internal private namespace and your external

public namespace?

What service must be available before you can create your first Active

Directory domain controller?

What are your business identity needs?

What are your organizations security requirements?

What do you need to do to ensure that your private namespace is unique?

Why do you need to do to ensure that only one DNS server requires a root

hints file?

Introduction

Objectives

Key questions


26/70


27/70


(continued)

Top-level name Purpose Example

.mil United States military organizations, such as

the U.S. Air Force

af.mil

.net Networking organizations, including Internet

service providers (ISPs)

psi.net

.org Noncommercial organizations, such as

ICANN

ICANN.org

You can find a complete listing of top-level domains athttp://www.icann.org.

To obtain top-level domains, request them from ICANN or another Internetnaming authority. When you receive your domain names, you can connect to

the Internet and use DNS servers to manage the mapping of names to IPaddresses, and vice versa, for host devices contained within their portion of the

namespace.

After obtaining a domain name, you may choose to:

Name the computers and network devices within the assigned domain andits subdivisions.

Delegate subdomains of your domain to other users or customers.

It is strongly recommended that you only use characters in your names that are

part of the Internet standard character set permitted for use in DNS hostnaming. Allowed characters are defined in RFC 1123 as follows: all uppercase

letters (AZ), lowercase letters (az), numbers (09), and the hyphen (-).

When determining your namespace requirements, you need to decide how you

plan to use DNS and your goals. Consider the following when making yourdecisions:

Do you plan to use your namespace for internal purposes only?

For an internal namespace, you can implement your own DNS root, use anydomain name you want, and use characters outside of the Internet standard

as defined in RFC 1123.

Do you plan to use your namespace on the Internet?

If you plan to use your namespace on the Internet, or think that you mightdo so in the future, you should register your own unique domain name by

using the Internet root servers and ensure that the name conforms to Internetnaming standards.

Do you implement or plan to implement Active Directory?

If you implement or plan to implement Active Directory, you need to ensure

that the namespace hierarchy effectively represents the entire organization

so that it can be used for the Active Directory namespace.

Note

Obtaining top-leveldomain names

Domain options

Domain namingconventions

Determining your

namespacerequirements


28/70


You should choose a domain name that is meaningful and represents your entire

organization, even if you do not currently plan to use this name externally. Thisallows you to continue to use the name in the future if you change your plans. It

will also enable you to use the namespace for any future Active Directoryimplementation.

After you have chosen a domain name that you would like to use, you need to

check if it is unique. To check the uniqueness of a domain name, you can:

Use the Registry Whois tool at http://www.internic.net. This site allows

you to see if anybody has previously registered a particular domain name.

Visit http://www.domainsurfer.com to view a list of all registered domain

names that contain the text you want to use in your domain name.

Selecting a domainname

Checking a domain

name for uniqueness


29/70


30/70


A primary benefit of using an existing namespace is that you do not need to

identify and register an internal name. If you decide to use your existing DNSnamespace as your internal namespace, consider the following facts and

guidelines:

Users can access a single domain name when they access resources both

internally and externally.

You do not need to register additional names with a DNS name registration

authority.

Additional administration is required by DNS administrators to ensure that

appropriate records are stored on internal and external DNS servers.

The benefits of a separate public and private namespace include:

Improved security because users and computers outside the organizationcannot access the private namespace.

Minimal impact on the existing namespace.

Minimal effort on the part of the current DNS administrators.

You can integrate DNS into an organizations existing namespace by creatingseparate public and private namespaces. The existing namespace is contained

within the public portion of the namespace. The DNS service inWindows Server 2003 would manage the private portion of the namespace.

If you decide to use a namespace that is different from the existing DNSnamespace, consider the following facts and guidelines:

Resources are easy to manage and secure.

Existing DNS server content does not need to be replicated to the DNS

servers for the internal namespace.

Existing DNS zones and DNS topology can remain unchanged.

The internal namespace is not exposed on the Internet.

Internal resources are not accessible from the Internet.

Creating a single subdomain within the namespace is very similar to thestrategy of creating separate public and private namespaces. However, in this

case you do not divide the namespace into public and private portions, butinstead specify that all Windows Server 2003based DNS servers residebeneath a single subdomain within the namespace. For security reasons, it is

generally recommended that you enable internal clients to achieve DNSresolution of both internal and external DNS namespaces but not permit

external clients to access the internal namespace.

The primary benefit of using a delegated namespace is that there is minimalimpact on the existing namespace. In addition, this strategy requires minimal

effort on the part of the current DNS administrators.

Guidelines for using anexisting DNSnamespace

Benefits of using aunique namespace

Guidelines for using aunique namespace

Using a delegatednamespace

Benefit of using adelegated namespace


31/70


If you decide to use a delegated namespace as the internal namespace or the

Active Directory root, consider the following facts and guidelines:

The contiguous namespace that is used is more easily understood by the

administrative staff and users.

All internal data is isolated in a domain or domain tree.

A separate DNS server is required for the delegated internal domain.

The internal namespace can be long.

Whatever name you use for your internal namespace, make sure that

it is a name that you can and will register with a registrar. You want avoid asituation in which two companies merge and use the same name for their Active

Directory namespace.

Guidelines for using adelegated namespace

Important


32/70


Best Practices for Namespace Planning


As with any planning decision, wherever possible, you should follow theestablished best practices when planning to implement namespaces. These best

practices include the use of distinguished names, separation of internal andexternal namespaces, and the creation of namespaces that are compatible with

Active Directory. Following these practices will help to minimize the impact onsupporting the namespace.

When planning your DNS namespace, it is recommended that you use a set of

distinguished names that do not overlap as the basis for your internal andexternal DNS use.

For example, assuming that your organizations parent domain name is

microsoft.com, you could do the following:

Make the internal domain separate and discontiguous with the external

name space, using a name such as microsoft.net(ormicrosoft.localif you

never plan to make the resources available externally).

Make the internal domain separate from the external domain but contiguous

with it by using a name such as corp.microsoft.com.

Separating your internal and external namespaces makes it simpler to maintainconfigurations such as a domain name filter or exclusion lists. If you choose to

use the same namespace for internal and external resolution, you need to create

a split DNS infrastructure to support decision.

When planning your namespace, you need to consider whether you are

implementing Active Directory now or in the future. If you plan to implementActive Directory, you must ensure that the namespace you select is compatible

with an Active Directory namespace.

Introduction

Use distinguishednames

Examples

Separate internal andexternal namespaces

Create an ActiveDirectorycompatiblenamespace


33/70


Guidelines for Planning a Namespace


Resolving names by using DNS is central to Windows Server 2003 operation.Without proper name resolution, users cannot locate resources on the network.

It is critical that you create your DNS namespace with Active Directory in mindand that the larger namespace that exists on the Internet does not conflict with

your organizations internal namespace. Consider the following guidelineswhen planning your namespace.

Identify the domain name that your organization has registered for use on the

Internet (for example, contoso.com). If your company does not yet have aregistered domain name, you might want to register a name on the Internet.

If you choose not to register a name, make sure that the name you choose isunique. You can find out the domain names that are already in use athttp://www.internic.net.

For internal use, you could use a namespace, such as contoso.com, or asubdomain of the external name, such as corp.contoso.com. The subdomain

structure can be useful if you already have an existing DNS namespace. Tosimplify administration, you can assign different locations or organizationsdifferent subdomains such as nameone.corp.contoso.com or

nametwo.corp.contoso.com.

Introduction

Select a DNSnamespace for yourdomain

Use differentnamespaces for internaland external use


34/70


35/70


Practice: Planning a DNS Namespace


In this practice, you will plan a DNS namespace that is able to support yourorganizations existing and future plans.

The objective of this practice is to plan a DNS namespace.



The consulting company that you work for has assigned you to a new account,Contoso, Ltd to help plan their DNS namespace.

Contoso, Ltd is a fast-growing custom automobile parts distributor and

manufacturer. The company is quickly outgrowing its Microsoft Windows NTversion 4.0 network infrastructure and is in the planning stages for a migration

to Windows Server 2003. The company currently has a WINS infrastructure butno DNS infrastructure.

Contoso, Ltd currently has a Web presence at http://www.contoso.com, which

is hosted by its ISP, which also hosts its DNS, mail, and file transfer protocol(FTP) services.

The consulting company that Contoso, Ltd was working with previously hadprepared a design document for the upgrade. In this document, you found the

following information:

Contoso, Ltd is paying its ISP an exorbitant fee to host its computing

services. The company would like to host these services itself after it trains

or hires the necessary IT professionals and completes its Windows Server

2003 migration.

An Active Directory plan has not begun yet, but after the migration is

finished, the company most likely will implement it. Any plans should take

this eventuality into account.

Client workstations should be able to resolve both intranet and Internet

names and to connect to services on both.

Introduction

Objective

Instructions

Scenario


36/70


Plan the DNS namespace for Contoso, Ltds new computing infrastructure.

Describe the steps that you would take to ensure that the namespace meets thetechnical and business needs now and in the future.

A possible answer could be:

You could use the existing external namespace. This will be hosted on the

companys externally accessible DNS server. An internal DNS server canprovide services for the internal namespace. The servers should

communicate to resolve external names from the internal clients but not

the internal names from external (Internet) clients.

Provide several possible names for the internal namespace that would be

able to support future technologies, such as Active Directory, which could

possibly use the new name as its namespace.

For example, you might come up with names such as contoso-corp01.com,

contoso.biz, and so on.

Check to see that the name candidates are available and can be registered

with a registrar. If they are not available, continue thinking of other names

and check them for availability.

Take a short list of available name candidates to the Contoso, Ltd decision

makers and get an approval on the final name, and then register this name

with a registrar.

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

________________________________________________________________

Practice


37/70


Lesson: Planning Zones


This lesson presents information that you will need to determine whether to useone or more zones in a DNS strategy. In addition, the lesson discusses required

zone configurations.


Determine zone requirements.

Identify zone types.

Identify zone security requirements.

Specify zone configurations.

Introduction

Objectives


38/70


Selecting Zone Types


You need to determine the zone types to use in your DNS plan and choose theappropriate storage locations for the zones. The DNS zone types you choose

will influence the placement of DNS servers in a name resolution designbecause each zone type solves a specific requirement within a DNS plan.

Standard zone files, also known as traditional DNS zone files, are zone files

that are stored as text files on the servers hard drive. To use standard zone files,you create a zone on the DNS server that you plan to use to perform DNS

database administration. This server becomes the primary zone server where allupdates occur, such as resource record additions or deletions. When you create

a DNS server to function as a secondary zone server, you specify the name orthe IP address of the primary zone server that will provide a copy of the zonefile. You can use secondary zone servers to provide load balancing and a certain

degree of fault tolerance.

Standard DNS zones store the zone information in a file on a computer running

Windows Server 2003 and DNS. Standard DNS zones:

Follow a single master model for storing and replicating zone information.

Primary zones are the only zone types that support a read/write copy of the

zone information. You are allowed only one primary zone, but you can

replicate read-only copies of the zone information to any number of

secondary zones and stub zones.

Allow zone transfers between primary and secondary or stub zones to occurincrementally or by transferring the entire zone contents. The DNS Server

service in Windows Server 2003 supports both incremental and complete

zone transfers.

Function identically to Berkeley Internet Name Domain (BIND)based

DNS servers. Traditional DNS zones have the same benefits and constraintsas BINDbased DNS zones. You can use traditional DNS zones if high

interoperability with BINDbased DNS servers is a design requirement.

Introduction

What are standard zonefiles?


39/70


Active Directoryintegrated zones store DNS zone information in Active

Directory. Active Directoryintegrated zones are:

Multimaster, read/write copies of the zone information.

The multimaster characteristic enables you to make updates to the original

Active Directoryintegrated zone or make replicated copies of the zone. It

ensures that you can always perform updates to the DNS zone information.

As a best practice, select Active Directoryintegrated zones if your DNS

design includes dynamic updates to DNS. Traditional DNS zones are notmultimaster, so the failure of a DNS server with a primary zone preventsdynamic updates.

Replicated by Active Directory.

Because Active Directoryintegrated zones store the zone information in

Active Directory, zone information is replicated along with the other ActiveDirectory data.

Required for secured, dynamically updated DNS zones.

Because Active Directoryintegrated zones store the zone information, you

establish permissions for the computer, group, or user that can update theDNS zone information.

Replicated according to an administrative selectable scope.

You can replicate DNS data to a DNS server within a forest, domain, or

specific domain controllers in an Active Directory partition. You can alsoreplicate Active Directoryintegrated zone information to traditional

secondary zones outside the domain.

Treated as a traditional primary zone by another BINDbased DNS server.

Active Directoryintegrated zones appear as traditional primary zones to a

BINDbased DNS server. You can replicate DNS data to other ActiveDirectoryintegrated zones or to traditional secondary zones.

What are ActiveDirectoryintegratedzones?

Note


40/70


There are three different zone types to choose from in a DNS plan.

Primary

Primary zones are read/write copies of zone information. A traditionalprimary zone is periodically transferred to servers hosting secondary zones

to ensure that the secondary zone servers copy of the file is current. With

Windows Server 2003 DNS servers, the primary zone server initiallytransfers a full copy of the zone file and then subsequently sends only

changes to the secondary zone server. Active Directoryintegrated primaryzone information is replicated by Active Directory to other servers hosting

the Active Directoryintegrated zone.

Secondary

Secondary zone servers provide only limited fault tolerance because they

continue to respond to DNS queries and cannot perform updates becausethey only have a read-only copy of the zone file. Windows 2000 DNS

supports incremental zone transfers (IXFR), which the primary zone serversends only changes that have occurred to the zone file since the last zone

transfer. Secondary zone types cannot be stored in Active Directory.

Stub

A stub zone is also a read-only copy of a zone. However, a stub zone justcontains a subset of the records associated with that zone. It contains

information about the name servers that are authoritative for that domain,allowing a client (or other DNS server) to go directly to an authoritativeserver without having to visit intermediate servers. This can increase the

efficiency of the name resolution process across zones across discontiguousnamespaces. Information in a stub zone may be transferred if a traditional

stub zone is used or replicated by Active Directory if the stub zone is ActiveDirectoryintegrated.

Stub zones enable a DNS server to perform recursion by using the stub zones

list of name servers without needing to query the Internet or internal root serverfor the DNS namespace.

Using stub zones throughout your DNS infrastructure enables you to distributea list of the authoritative DNS servers for a zone without using secondary

zones. However, stub zones do not serve the same purpose as secondary zonesand should not be considered when addressing redundancy and load sharing.

A DNS server configured with a stub zone is not authoritative forthat zone. The stub zone identifies DNS servers that are authoritative for the

zone.

DNS zone types

Using stub zones

Important


41/70


Selecting Zone Data Location


When planning your DNS implementation, you need to identify where the DNSzone files will be located. You can store DNS data in standard DNS zones, but

in an Active Directory environment, you can choose Active Directoryintegrated zones or a combination of the two.

Because Active Directoryintegrated zones can replicate DNS data to

traditional secondary DNS zones, you can use a combination of both zonetypes. You might want to do this if you have DNS servers from different

vendors.

The following table compares Active Directoryintegrated zones withtraditional DNS zones.

Features of DNS

Active

Directory

integrated

zones

Traditional

DNS zones

Adheres to current Internet Engineering Task Force

(IETF) specifications.

Yes Yes

Uses a zone information replication method that is

based on Active Directory replication.

Yes No

Improves availability because each DNS server

contains a read/write copy of the zone information.

Yes No

Allows updates to the zone information, even with

the failure of a single DNS server.

Yes No

Supports incremental zone transfers. Yes Yes

Introduction

Comparison of zonetypes


42/70


Zone Security Considerations


After you have identified the zones and their storage locations, you need toconsider how to secure them. You can secure DNS access from private and

public networks in several ways. Your security measures will depend on howyou have planned your zones. The DNS zone security considerations include:

Secured dynamic updates in Active Directory.

Dynamic updates from DHCP.

DNS client dynamic updates.

Secured dynamic updates are a feature found only in Active Directoryintegrated zones. Because the DNS zone information is stored in Active

Directory, you can secure this information by using Active Directory securityfeatures. After you integrate a zone with Active Directory, you can use the

access control list (ACL) editing features that are available in the DNS consoleto add or remove users or groups from the ACL for a specified zone or resourcerecord.

When planning to secure dynamically updated DNS zones in your plan,consider the permissions:

To update the DNS zone that are made in the DNS zone container within

Active Directory.

That can be assigned for the entire DNS zone or for individual resourcerecords within the zone.

That can be assigned to a computer, group, or user account.

Introduction

Secured dynamicupdates in ActiveDirectory


43/70


You can specify that the DHCP servers within your network dynamically

update DNS when the DHCP server configures a DHCP client computer. Onthe DHCP server, you specify the DNS zone(s) that the DHCP server is

responsible for automatically updating. On the DNS server, you specify theDHCP server as the only computer that is authorized to update the DNS entries.

If you use multiple Windows Server 2003 DHCP servers on your network and

also configure your zones to allow secure dynamic updates only, you need touse Active Directory Users and Computers to add your DHCP servers to the

built-in DnsUpdateProxyGroup. This will grant all of your DHCP serverssecure rights to perform proxy updates for any of your DHCP clients.

You should include dynamic DNS updates from DHCP servers if:

The DNS client operating system is not Windows 2000, Windows XP, or

Windows Server 2003.

Assigning the permissions that enable each computer, group, or user to

update their respective DNS entries becomes unmanageable.

Allowing individual DNS clients to update DNS entries presents security

risks that could potentially allow unauthorized computers to impersonateauthorized computers.

DNS clients running Windows 2000, Windows XP, and Windows Server 2003

can directly update DNS automatically. When these clients start, the DNS clientcan connect to the DNS server and automatically register the DNS client with

the DNS server. You should include DNS clients that directly update DNS if:

The computer has a manually assigned, fixed IP address.

Assigning the permissions that enable the computer to update DNS entries is

manageable.

Allowing individual DNS clients to update DNS entries poses no potential

security risks. By default, the Dynamic updates setting is not configured toallow dynamic updates. This is the most secure setting because it preventsan attacker from updating DNS zones, but this setting prevents you from

taking advantage of the benefits to administration that dynamic update

provides. To have computers securely update DNS data, store DNS zones in

Active Directory and use the secure dynamic update feature.

Dynamic DNS updatesfrom DHCP

DNS client dynamicupdates


44/70


The DACL on the DNS zones that is stored in Active Directory allows you to

control the permissions for the Active Directory users and groups that maycontrol the DNS zones.

The following table lists the default group or user names and permissions forDNS zones that are stored in Active Directory.

Group or user names Permissions

AdministratorsAllow: Read, Write, Create All Child

objects, and Special Permissions

Authenticated Users Allow: Create All Child objects

Creator Owner Special Permissions

DnsAdmins

Allow: Full Control, Read, Write, Create

All Child objects, Delete Child objects,

and Special Permissions

Domain Admins


All Child objects, and Delete Child

objects

Enterprise Admins



objects

Enterprise Domain Controllers


All Child objects, Delete Child objects,

and Special Permissions

Everyone Allow: Read and Special Permissions

Pre-Windows 2000 Compatible Access Allow: Special Permissions

System



objects

Zone permissions


45/70


46/70


Practice: Planning Zones


In this practice, you will determine the zone type, zone storage location, andzone security that you will implement based on the provided scenario.

The objective of this practice is to plan a DNS zone.



You are the systems engineer for Contoso, Ltd, a rapidly growing customautomobile parts distributor and manufacturer. The company is currently

planning its DNS zones. You examine the design document and find thefollowing information:

A new branch office is being opened that will have a local Active Directory

domain controller.

The branch office will have a T1 link back to the main corporate office.

There will be two Active Directory domain controllers on the corporate

network.

The internal namespace (and Active Directory root) will be

Contoso-corp01.com.

Introduction

Objective

Instructions

Scenario


47/70


48/70


Lesson: Planning Zone Replication and Delegation


This lesson discusses the central principles of planning zone replication. Theseprinciples include identifying server configurations, zone delegation, and fault-

tolerance requirements.


Determine DNS server configuration.

Determine if a zone should be delegated to improve performance.

Identify fault-tolerance requirements.

Introduction

Objectives


49/70


When to Create a Secondary Zone


You need to address several considerations when determining the placement ofa secondary zone. Although some of these considerations might not apply to

your particular environment, you will need to plan for a zone transfer and azone replication.

Adding DNS servers provides zone redundancy, enabling the resolution of DNS

names in the zone for clients if a primary server for the zone stops responding.The more servers you have that are authoritative for a particular zone, the less

likely it is that queries will go unanswered for resources in that zone.

Carefully planned placement of additional DNS servers can significantly reduceDNS network traffic. For example, adding a DNS server to the opposite side of

a low-speed WAN link can be useful in managing and reducing network traffic.If you place servers close to large client populations or close to isolated

networks, you can reduce the amount of query traffic that has to flow acrosspotentially costly and slow WAN links.

You can use additional secondary servers to reduce loads on a primary serverfor a zone. For example, you can direct clients to secondary servers that service

queries from local clients only, not clients from across the entire enterprise.

Zone replication and zone transfers occur when you implement a secondaryserver. For security reasons, you should only allow zone transfers with hosts

that you specifically configure.

Introduction

Provide zoneredundancy

Reduce network traffic

Reduces loads onprimary server

Zone transfer andreplication requirements


50/70


Zone Transfers and Replication


Because of the essential role that zones play in DNS, it is important that they beavailable from more than one DNS server on the network to provide availability

and fault tolerance when resolving name queries. Your implementation of DNSzones determine if you will use zone transfer or replication. Zone transfers

occur in a traditional DNS zone. Zone replication occurs in an ActiveDirectoryintegrated zone.

Zone transfers are always initiated at a zones secondary server and then sent to

the configured master servers that act as their zones source. Master servers canbe any other DNS server that loads the zone, such as the primary server for the

zone or another secondary server. When the master server receives the requestfor the zone, it can reply with either a partial or full transfer of the zone to thesecondary server.

In earlier DNS implementations, any request for an update of zone data requireda full transfer of the entire zone database. In current DNS implementations, an

incremental transfer allows the secondary server to pull only those zonechanges it needs to synchronize its copy of the zone with its source, which iseither a primary or secondary copy of the zone maintained by another DNS

server.

When incremental transfers are supported by both a DNS server acting as thesource for a zone and any servers that copy the zone from it, it provides a more

efficient method of propagating zone changes and updates. Because theincremental transfer process requires substantially less network traffic, zonetransfers are completed much more quickly.

Introduction

Zone transfers fortraditional DNS zones


51/70


Active Directory replication provides an advantage over standard DNS

replication. With standard DNS replication, only the primary server for a zonecan modify the zone. With Active Directory replication, all domain controllers

for the domain can modify the zone and then replicate the changes to otherdomain controllers. This replication process is known as multimaster

replicationbecause multiple domain controllers, or masters, can update the

zone.Replication processing is performed on a per-property basis, which means that

only relevant changes are propagated. Replication processing differs from DNSfull zone transfers, in which the entire zone is propagated. Replication

processing also differs from incremental zone transfers, in which the servertransfers all changes made since the last change. With Active Directory

replication, however, only the final result of all changes to a record is sent.

The DNS zones that are used to support an Active Directory domain are storedin the domain or application directory partitions of the Active Directory.

Replication for ActiveDirectoryintegratedzones


52/70


Zone Transfer Security Measures


After you have identified the replication process that you will use, you mustsecure the zone transfers. You can secure your zone transfers in several

different ways.

By default, the Windows Server 2003 DNS Server service only allows zoneinformation to be transferred to servers listed in a zones NS resource records.

Although this is a secure configuration, for increased security you shouldchange this setting to allow zone transfers to specified IP addresses. Your

network security specialists still need to protect your network against IPspoofing, in case an attacker attempts to impersonate one of your specified IP

addresses. Be aware that changing this setting to allow zone transfers to anyserver might expose your DNS data to an attacker who is attempting tofootprint your network.

With the increasing use of virtual private networks (VPNs), DNS zonereplication can occur across public networks, such as the Internet. It is

important to protect the names and IP addresses replicated over these publicnetworks against unauthorized access. You can protect the replication data byusing IP Security (IPSec), VPN tunnels, or Active Directory.

For your security, you need to encrypt all replication traffic that is sent over

public networks. If you encrypt replication traffic by using IPSec or VPNtunnels, you should consider using:

The strongest level of encryption and VPN tunnel authentication.

Routing found in the Routing and Remote Access feature of Windows 2000

to provide the IPSec or VPN tunnels.

Introduction

Restricting zonetransfers

Zone replication security

Encryption using IPSecand VPN tunnels


53/70


You can protect replication traffic by using Active Directoryintegrated zones.

Because these zones are based on Active Directory, they provide inherentsecurity by:

Exclusively replicating between DNS servers that have Active Directory

integrated zones.

Requiring all DNS servers that have Active Directoryintegrated zones tobe registered with Active Directory.

Encrypting all replication traffic between DNS servers.

You can reduce the impact of DNS replication traffic on overused networksegments to improve data transmission rates for other network traffic.

To improve the performance of replication traffic, consider:

Using fast zone transfers to compress the zone replication data in a standard

DNS infrastructure. Note that older versions of BIND do not support fast

zone transfers.

Modifying the replication schedule of secondary zones to replicate during

non-peak hours of operation.

Performing incremental zone replication instead of complete zonereplication when possible.

Incremental zone replication requires BIND version 8.2.1 and later.

The Windows NT 4.0 DNS service performs only complete zone transfers.

Encryption andauthentication usingActive Directory

Reducing the impact ofreplication

Note


54/70


55/70


56/70


Guidelines for Planning Zone Replication and Delegation


The following are the recommended guidelines for planning zone replicationand delegation.

You may have the need for additional secondary zones. There are two primaryreasons why you would create an additional zone; they are:

To achieve zone redundancy.

To reduce network traffic and the load on the primary server.

If you use Active Directory, you must use zone replication. If you use the

traditional DNS zone structure, you must use zone transfers.

You can use a variety of methods to implement security. Your choice of whichmethod to employ depends on your replication requirements of your

environment.

You need to determine if you will need to delegate the management of one ormore of your zones. Reasons to do so include extending the namespace,

distributing the load among several servers, and delegating zone management toanother individual or group.

Introduction

Identify when to createadditional zones

Determine replication

methodology

Determine replicationsecurity requirements

Determine the need fordelegating a zone


57/70


Practice: Planning Zone Replication and Delegation

.


In this practice, you will plan the zone replication and delegation for a newlyacquired company.

The objective of this practice is to plan zone replication and delegation.



You are a systems engineer for Contoso, Ltd, a rapidly growing custom

automobile parts distributor and manufacturer that has recently acquired aresearch and development firm, Fabrikam, Inc.

Fabrikam, Inc. has five BIND version 8.3.3 departmental DNS servers in its

primarily UNIX network environment. Contoso, Ltd plans to place a WindowsServer 2003 domain controller with DNS installed in the Fabrikam, Inc.

environment and establish a VPN between the two companies to share data andbegin merging the two data infrastructures.

There will be a large number of file shares on the Windows Server 2003computer, and client/server traffic between the two companies will steadily

increase. Fabrikam, Inc. wants to reduce the DNS load on the Windows Server2003 server by using the existing BIND servers.

Introduction

Objective

Instructions

Scenario


58/70


How can you use the BIND servers to reduce the load on the Windows Server

2003 server for queries for names in the Contoso, Ltd zone?

You can create secondary zones on the BIND servers to allow each of the

departmental DNS servers to resolve names in the Contoso, Ltd zone.

________________________________________________________________

________________________________________________________________

What should you do to allow zone transfers between the Windows Server 2003

DNS server and the departmental BIND servers?

The IP address of each of the BIND secondary servers should be specified

to allow for zone transfer with the Windows Server 2003 DNS server.

________________________________________________________________

________________________________________________________________

In the future, Fabrikam, Inc. might adopt the Contoso, Ltd name. What can you

do with the Fabrikam, Inc. namespace to allow Fabrikam, Inc. to maintain somedegree of autonomy over the DNS data in its organization?

A Fabrikam, Inc. subdomain can be created in the Contoso, Ltd zone and

delegated to the Fabrikam, Inc. DNS servers so that Fabrikam, Inc. can

administer its own zone information.

________________________________________________________________

________________________________________________________________

Practice


59/70


Lesson: Integrating DNS and WINS


This lesson discusses the integration of DNS and WINS in an environment thatuses NetBIOS and host name resolution.


Determine when to configure DNS servers to use WINS for host name

resolution.

Explain how to designate a subdomain for WINS resolution.

Introduction

Enabling objectives


60/70


Multimedia: Integrating DNS and WINS


The objective of this presentation is to explain the name resolution processwhen a DNS zone is configured for WINS forward lookup.


Explain how a DNS server can use WINS to resolve host names.

Explain why the authoritative DNS server requires WINS records.


Can a DNS server resolve NetBIOS names? Which DNS server needs to be configured for WINS lookup?

Introduction

Objectives

Key questions


61/70


WINS Integration


The DNS Server service provides you the ability to use WINS servers to lookup names not found in the DNS domain namespace by checking the NetBIOS

namespace managed by WINS. Two special resource record types, the WINSand WINS-R records, are used to integrate DNS and WINS.

A typical reason to use this feature would be in a heterogeneous computing

environment in which you have hosts that do not have the ability to query andregister with WINS themselves (for example, a UNIX host) combined with

hosts that can only dynamically register NetBIOS names with WINS (forexample, Windows NT 4.0 or Windows 95 hosts). Using WINS integration, the

UNIX hosts would be able to resolve the Windows hosts names by using DNS.

You use a WINS forward lookup resource record to provide further resolutionof DNS queries for names that were not found in a zone by using a name query

to WINS servers configured and listed with this record. If used, the WINSrecord applies only to the topmost level within a zone and not for subdomains

used in the zone.

Introduction

WINS resource records


62/70


The following table describes the various fields that are used with the WINS

resource record.

Field Description

Owner Indicates the owner domain for this record. This field should

always be set to @ to indicate that the current domain is the

same as the zone origin.

Class Indicates the class for this record. This field should always be set

to IN because the Internetclass is the only supported class for

DNS servers running Windows Server 2003.

Local Indicates that the WINS resource record is only to be used locally

at the DNS server and is not to be included during zone

replication with other DNS servers. This field corresponds to the

Do not replicate this record check box that is selected or cleared

during the process of configuring WINS lookup in the DNS

console. If the check box was cleared, this field will not be

included when the record is written to the zone.

lookup_timeout Is the timeout value that is applied for this record.

Cache_timeout Is the cache timeout value that is applied for this record.

Wins_ip_addresses Is used to specify one or more IP addresses of WINS servers. At

least one IP address of a valid WINS server is required.

owner class WINS [LOCAL] [Lookup_timeout] [Cache_timeout] wins_ip

_addresses

@ IN WINS 10.0.0.1

@ IN WINS LOCAL L1 C10 10.10.10.1 10.10.10.2

10.10.10.3

In the provided WINS resource record examples, the zone root isassumed to be the current origin.

You use a WINS-R resource record in a reverse lookup zone to provide further

resolution for reverse queries that were not found in the zone. When using thisrecord, you need to specify the parent domain to be appended to a NetBIOS

computer name when a successful reverse lookup occurs. Other fields used inthe WINS-R resource record have a similar description and purpose, as

previously described for their use in the WINS forward lookup record.

WINS-R resource record syntaxowner class WINS [LOCAL] [Lookup_timeout] [Cache_timeout] Domain

_to_append_to_returned_NetBIOS_names

Syntax

Examples

Note

WINS-R resourcerecords


63/70


@ IN WINS-R LOCAL L1 C10 example.microsoft.com.

@ IN WINS-R wins.example.microsoft.com.

In the provided WINS-R resource record examples, the zone root is

assumed to be the current origin.

Because the WINS database is not indexed by IP address, the DNS service

cannot send a reverse name lookup to the WINS service to get the name of acomputer based on its IP address. The DNS service instead sends a nodeadapter status request directly to the IP address implied in the DNS reverse

query. When the DNS server gets the NetBIOS name from the node statusresponse, it appends the DNS domain name back onto the NetBIOS name

provided in the node status response and forwards the result to the requestingclient.

WINS-R resource recordexamples

Note

WINS reverse lookup


64/70


Modifying Cache Timeout Settings


DNS servers cache all information they receive for a time period specified inthe returned data. This amount of time is referred to as the Time to Live(TTL).

As the name server administrator of the zone, you decide the length of the TTLfor the data. Smaller TTL values will help to ensure that data about your

domain is more consistent across the network, if this data changes often.However, you should be aware that this will also increase the load on yourname server.

Cache timeout settings indicate to a DNS server how long it should cache anyof the information returned in a WINS lookup. By default, this value is set to 15

minutes.

After a DNS server caches the data, it must start decreasing the length of theTTL from its original value so that it knows when to flush the data from its

cache. If a query arrives that can be satisfied by this cached data, the TTL thatis returned with the data is the current amount of time left before the data is

flushed from the DNS server cache. Client resolvers also have data caches andhonor the TTL value so that they know when the data should expire.

You configure the Cache timeoutparameter by using the Advancedbutton inthe Zone Properties dialog box when you configure the zone. This button

appears on either the WINSor WINSRtab, depending on whether the zoneyou are configuring is being used for forward or reverse lookup.

Introduction

Cache timeout settings


65/70


If you are using either a WINS or WINS Reverse Lookup resource record, be

aware that the minimum TTL set in the start of authority record for the zone isnot the default TTL used with these records. Instead, when either an IP address

or a host name gets resolved with WINS lookup, the information is cached onthe DNS server for the amount of time configured for the WINS cache timeout

value. If this address is subsequently forwarded to another DNS server, it will

be sent with the WINS cache timeout value TTL.If you have data in WINS that rarely changes, you might be able to lengthen the

amount time this data is cached to more than the default 15 minutes. Thisreduces the number of queries between a DNS server and a WINS server

because the DNS server is able to answer queries out of its cache more often.

Why change cachetimeout settings?


66/70


WINS Integration Best Practices


You can allow DNS clients to resolve host names found in the WINS service.This eliminates the need to create DNS zone entries for all of the computers in

your organization. You can resolve host names found in the WINS service byforwarding unresolved DNS queries to a WINS server. You can establish the

forwarding of these queries on a zone-by-zone basis.

To integrate a WINS resolution into your DNS design, you designate asubdomain within the organizations namespace that you will use as a

placeholder for the WINS names. You need to specify that the subdomaincontains no entries except for the WINS and WINS-R resource records.

For organizations that have separate private and public namespaces, you create

the subdomain for WINS under the private namespace. For organizations thathave the same namespace for private and public name resolution, you create the

subdomain for WINS at a level beneath the root of the organization.

For domain names that are within the organizations namespace, if you want to:

Resolve names within the WINS service prior to other domains, specify that

the DNS queries be forwarded to a delegated subdomain for WINS first.

Resolve names within other domains prior to resolving them within WINS,

specify that the DNS queries be forwarded to a delegated subdomain for

WINS last.

Introduction

Designate a subdomainfor WINS resolution

Delegate unresolvedDNS queries to asubdomain


67/70


68/70


Lab A: Planning a DNS Strategy


In this lab, you will plan a DNS strategy.

After completing this lab, you will be able to plan the configuration of DNS

servers to support an internal and external namespace.

You are a systems engineer for Northwind Traders. You have been asked toplan the configuration of DNS servers for the public Web presence and the

internal namespace used in the corporate offices.

Northwind Traders maintains eight separate Web servers that are used for

Internet-based access by customers. The Web servers are configured as:

Two Network Load Balancing clusters of three servers, each supporting

http://www.nwtraders.com by using round-robin DNS records.

A single Network Load Balancing cluster of two servers supporting

b2b.nwtraders.com.

The internal namespace, corp.nwtraders.com, uses Active Directoryintegratedzones configured on the domain controll

Planning DNS

Documents

Transcript of Planning DNS