windows server 2003 and windows 2000 dns
Download
Report
Transcript windows server 2003 and windows 2000 dns
1
Chapter 3
PLANNING A HOST
NAME RESOLUTION
STRATEGY
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
OVERVIEW
Describe the steps involved in designing a Domain Name
System (DNS) namespace.
Identify which factors are critical in determining zone
replication requirements.
Understand where and when to place forwarders.
Describe what security options exist for DNS.
Explain how Microsoft Windows Server 2003 DNS can
interoperate with third-party products such as Berkeley
Internet Name Domain (BIND).
Explain how Windows Server 2003 DNS interoperates with
DNS servers running on Microsoft Windows 2000 and
Microsoft Windows NT 4.0.
2
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
3
UNDERSTANDING NAME RESOLUTION
REQUIREMENTS
Name resolution is key to the correct
operation of Transmission Control
Protocol/Internet Protocol (TCP/IP)–based
networks.
Name resolution can be required for both
internal and external clients.
Name resolution can be performed by both
internal and external servers.
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
4
UNDERSTANDING NAME RESOLUTION
REQUIREMENTS (CONTINUED)
DNS requirements depend on the following:
Which hosts on the internal network clients
in the organization need to resolve
Which hosts on the external network clients
in the organization need to resolve
Which organizational hosts on the internal
network or screened subnet clients on the
Internet should be able to resolve
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
5
HOSTING AN INTERNET DOMAIN
If you have an Internet domain, you can host the
DNS zones for the domain on your own DNS
servers or on the DNS servers of an Internet
service provider (ISP).
If you are hosting an Internet domain on your own
DNS servers, the servers must have registered IP
addresses and be accessible at all times.
If you use ISP DNS servers to host the domain,
you should be aware of the ISP’s policy regarding
resource record additions and changes.
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
6
USING MULTIPLE DOMAINS
If you wish to represent multiple entities
on the Internet, you have two choices;
Register a single second level domain name
and create subdomains, such as
doctors.contoso.com or
patients.contoso.com
Register multiple second level domains,
such as contosodoctors.com or
contosopatients.com
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
USING ACTIVE DIRECTORY
The Active Directory directory service
requires that you implement at least one
DNS server on the network that supports
service location (SRV) resource records.
If the DNS server is unavailable, users
might not be able to log on to the system,
Active Directory replication might fail, and
users already logged on might not be able
to access resources.
7
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
COMBINING DNS FUNCTIONS
8
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
DESIGNING A DNS NAMESPACE
An optimally designed namespace is
simple to administer and reflective of the
organization that it serves.
The design process for a namespace
should include all elements, from the
second-level domain to any subdomains
and the hosts in those domains.
Naming standards should be defined
before the DNS namespace is created.
9
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
USING AN EXISTING NAMESPACE
Use the existing domain name, and if
necessary, expand it to include internal
subdomains.
If you are replacing existing DNS servers
that host a domain, inform the ISP of the
change so that the appropriate changes
can be made to resource records.
If you are creating a subdomain, you do
not need to inform the ISP.
10
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
11
UPGRADING NETBIOS TO DNS
If the existing NetBIOS namespace is
formalized, replicate that namespace
within DNS.
If the existing NetBIOS namespace is not
structured, create a formalized namespace
within DNS.
The DNS Server service can be configured
to forward name resolution queries to
WINS servers.
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
12
EXTERNAL DOMAINS
External domains generally are domains
that are accessible over the Internet.
Companies can have more than one
external domain, as required.
External domains can be hosted internally
by an organization or externally by an ISP.
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
13
INTERNAL DOMAINS
Create domains and subdomains as
needed.
Keep domain names short and adhere to
naming policies.
Adhere to general geographic or functional
boundaries.
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
14
CREATING SUBDOMAINS
Subdomains of second-level domains can
be created without any registration
requirements.
Subdomains provide a mechanism to
create a domain structure that matches
the physical or logical company structure.
Subdomains allow control of domains or
zones to be delegated to other
administrators.
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
15
COMBINING INTERNAL AND EXTERNAL
DOMAINS
When combining internal and external
domains, options include the following:
Using the same domain name internally and
externally
Creating separate and unrelated internal and
external domains
Making the internal domain a subdomain of
the external domain
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
16
CREATING AN INTERNAL ROOT
Create your own internal root zone on one
of your Windows Server 2003 DNS servers.
Creation of the internal root zone causes
DNS servers in the organization to consider
your DNS server as the root server.
Creation of the internal root zone can speed
up resolutions for clients in the enterprise.
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
CREATING HOST NAMES
Create easily remembered names.
Use unique names throughout the
organization.
Do not use case to distinguish names.
Use only characters supported by all of
your DNS servers.
17
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
18
IMPLEMENTING A DNS NAME RESOLUTION
STRATEGY
Consider how many DNS servers to use.
Understand the DNS server types needed.
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
19
DECIDING ON THE NUMBER OF DNS SERVERS
TO USE
More than one DNS server should be
implemented for fault tolerance and loadbalancing purposes.
The DNS server role does not require very
powerful hardware, nor does it generally
place a considerable burden on the
underlying system.
Prudent placement of DNS servers can
improve network responsiveness and
minimize wide area network (WAN) traffic.
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
UNDERSTANDING DNS SERVER TYPES
Caching-only servers
Forwarders
Chaining forwarders
Conditional forwarding
20
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
USING CACHING-ONLY SERVERS
Contain no zone information and host no
domains
Forward all resolution requests as iterative
queries to another DNS server
Cache results of successful resolutions to
prevent repetitive queries
21
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
USING FORWARDERS
22
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
CREATING ZONES
Primary zones contain the master copy of
the zone database in which administrators
make all changes to the zone’s resource
records.
Secondary zones are duplicates of a
primary zone held on another server.
Stub zones are copies of a primary zone
that contain only start of authority (SOA)
and name server (NS) resource records,
plus the host (A) resource records that
identify the authoritative servers for the
zone.
23
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
UNDERSTANDING ZONE TRANSFER
Resource records are held in a file on the
server’s hard drive.
Primary servers perform zone transfers to
ensure that secondary zones are up-todate.
Zone transfers can be configured to occur
when changes are made or at a specified
interval.
Zone transfers can be incremental or full.
24
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
USING ACTIVE DIRECTORY–INTEGRATED
ZONES
25
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
PLANNING DNS SECURITY
Determine DNS security threats
Secure DNS
26
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
DETERMINING DNS SECURITY THREATS
Denial of service (DoS)
Footprinting
IP spoofing
Redirection
27
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
SECURING DNS
Provide redundant DNS services
Limit DNS interface access
Secure zone replication
Prevent cache corruption
Use secure dynamic updates
Use standard security measures
28
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
INTEROPERABILITY WITH OTHER DNS
SERVERS
Windows Server 2003 and BIND
Windows Server 2003 and Windows 2000
DNS
Interoperability with Windows NT 4.0 and
Windows 2000 DNS
29
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
30
WINDOWS SERVER 2003 AND BIND
Windows Server 2003 DNS can be used
with other DNS servers that use the BIND
name server.
BIND version 4.9.4 and later support fast
transfer format for optimized zone
transfers.
BIND version 4.9.5 supports SRV records,
which are required by clients on a Windows
Server 2003 network to locate domain
controllers.
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
31
WINDOWS SERVER 2003 AND WINDOWS 2000
DNS
Windows Server 2003 and Windows 2000
servers running DNS can coexist on the
same network.
Windows 2000 domain controllers must be
running Service Pack 3 or later.
Windows 2000 DNS does not support the
use of custom directory partitions to host
zones.
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
32
INTEROPERABILITY WITH WINDOWS NT 4
AND WINDOWS 2000 DNS
Microsoft Windows NT 4 servers must be
running Service Pack 4 or later.
Windows NT 4 DNS does not support Active
Directory–integrated zones.
Windows NT 4 DNS does not support
dynamic updates.
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
33
SUMMARY
When creating a DNS namespace, devise a naming scheme to
accommodate both organizational factors and physical network
factors.
Creating subdomains enables you to delegate authority over parts
of the namespace and balance the DNS traffic load among multiple
servers.
When combining internal and external domains, recommended
practice is to use a registered domain name for the external
network and to create zones beneath it for the internal network.
When determining whether to replicate a zone to a site, balance
the amount of replication traffic that will have to travel across the
WAN against the amount of resolution traffic that will have to
travel across the WAN.
A forwarder is a DNS server that resolves requests from other DNS
servers.
Chapter 3: PLANNING A HOST NAME RESOLUTION STRATEGY
34
SUMMARY (CONTINUED)
Securing zone replication prevents attackers from footprinting the
network.
Securing dynamic updates and using cache pollution protection
helps prevent intruders from loading a DNS server with false data.
When designing a DNS name resolution strategy, you decide how
many domains you need and what to name them. Then you
populate those domains with hosts.
To implement a DNS name resolution strategy, you create zones
on your DNS servers and populate them with resource records.
By default, Windows Server 2003 supports BIND secondaries.
Versions of BIND later than 4.9.5 support SRV records and can be
used by clients on a Windows Server 2003 network to locate
domain controllers.