Module 6: Designing Name Resolution

Module Overview
Collecting Information for a Name Resolution Design Designing a DNS Server Strategy

Designing a DNS Namespace

Designing DNS Zone Implementation Designing Zone Replication and Delegation

Lesson 1: Collecting Information for a Name Resolution Design

Reasons for Name Resolution Considerations for Configuring Name Resolution

Physical Location Considerations for a Name Resolution

Design

Host Requirements for a Name Resolution Design NetBIOS Resources Discussion: Gathering Data for a Name Resolution Design

Reasons for Name Resolution

Name resolution is required:

To simplify access to resources

To locate domain controllers To locate global catalog servers

Considerations for Configuring Name Resolution

Consider whether: A DNS infrastructure exists The Active Directory namespace is the same as the public DNS namespace The Active Directory namespace does not overlap with the public DNS namespace

NetBIOS name resolution services, such as WINS, are used on the network

Physical Location Considerations for a Name Resolution Design

Type Physical location consideration

Locations Hosts DNS servers

Number of locations

Number of hosts at each location Existence of any prior DNS

servers

Active Directory
Client computers

Existence of, or plans to include

an Active Directory infrastructure

Location of client computers in

relation to a WINS server

Host Requirements for a Name Resolution Design

Identify the following host information:
Are computers with dynamic IP addresses providing IP-based services? Do hosts run applications that require the ability to determine a hosts name from its IP address? Do hosts run applications or services that use NetBIOS? Do any of the client computers use broadcasts to resolve NetBIOS names only by using broadcasts?

NetBIOS Resources
Identify systems and applications that rely on NetBIOS for name resolution, including:
Windows 98, Windows NT Windows workgroups that do not implement Active

Directory

Some applications and services

Determine the impact of removing NetBIOS

If NetBIOS is used by a critical application, continue to use WINS

Discussion: Gathering Data for Name Resolution Design

What data needs to be collected for designing name resolution?

Lesson 2: Designing a DNS Server Strategy

How Clients Resolve Host Names Determining DNS Server Requirements

Consideration for Placing DNS Servers

DNS Server Roles Securing DNS Servers

How Clients Resolve Host Names

Clients can use the following methods to resolve host names:
DNS cache (includes contents of HOSTS file) DNS server NetBIOS name resolution methods

DNS name resolution is controlled by:

Root hints Caching Delegation Forwarding Conditional forwarding

Determining DNS Server Requirements

Server capacity:
Determine number of zones for each server Determine the size of each zone

Determine the number of queries for each server

Server requirements:
Approximately 4 MB of RAM for the service Approximately 100 bytes for each resource record

Considerations for Placing DNS Servers

For DNS server placement, consider:
Network traffic over WAN links
Availability, if a WAN link fails

Redundancy, if a DNS server fails

Client impact, if DNS is unavailable

Application impact, if DNS is unavailable

DNS Server Roles

Role Situation
A remote office has a limited

Caching-only servers Non-recursive servers Forward-only servers Conditional forwarders

amount of available bandwidth

You have Internet-facing DNS

that are authoritative for one or more zones traffic between your network and the Internet separate networks to resolve each others names without having to query the DNS server on the Internet

You want to manage the DNS

You want DNS clients on

Securing DNS Servers

Options for securing Microsoft DNS servers:
Firewalls, including Windows Firewall
Restricting zone transfers

Securing dynamic updates

Active Directory Integrated zones

Forwarding, to limit Internet name resolution

Lesson 3: Designing a DNS Namespace

DNS Namespace Options Selecting DNS Namespace Option

Hosting Options for DNS

Guidelines for Designing DNS Namespaces

DNS Namespace Options

Same Namespace
Public DNS Namespace

Subdomain

Unique Namespace
Public DNS Namespace

Public DNS Namespace

nwtraders.com

nwtraders.com

nwtraders.com

Internal Namespace nwtraders.com

Internal Namespace corp.nwtraders.com

Internal Namespace nwtraders.local

Selecting DNS Namespace Option

Same namespace:
Internal records should not be available externally
Records may need to be synchronized between internal

and external DNS

Subdomain:
Record synchronization is not required Contiguous namespace is easy to understand

Unique namespace:
Record synchronization is not required Existing DNS infrastructure is unaffected Clearly delineates between internal and external DNS

Hosting Options for DNS

Option
Complete DNS

Description
All internal and external on a single server Simple deployment External and internal DNS are hosted on separate

servers

Split DNS

Internal DNS servers can forward Internet DNS

requests

Increased security over complete DNS External and internal DNS are hosted on separate

servers only

Split-Split DNS

One external server host resolves local records One external server resolves non-local records only

Guidelines for Designing DNS Namespaces

Carefully select your internal namespace before installing Active Directory Use an internal domain that is a sub-domain of the external domain, for simplicity Use unrelated namespaces if you cannot create your internal domain as a subdomain on the external domain
Avoid using the same internal and external namespace

Lesson 4: Designing DNS Zone Implementation

Selecting Zone Types Selecting Zone Data Location

Zone Security Considerations

Selecting Zone Types

Zone type Available disk locations
Active Directory

Zone information
Replicated to other Active Directoryintegrated zones Transferred to secondary zone servers

Use this zone to:

Act as the point of update for the zone Have a read/write copy of the zone information Administer zone information separately Have a read-only copy of the zone information Improve availability of primary zones Improve performance at local and remote locations Improve the efficiency of name resolution Simplify DNS administration

Primary
File

Secondary

File

Provides limited fault tolerance

Active Directory

Stub

File

Periodically queries the target zone name servers for updates

Selecting Zone Data Location

Used by traditional primary and secondary zones Chosen for integration into existing infrastructure Does not require server to be a DC
Disk

Used by Active Directory-integrated zones

Automatic replication to all domain controllers
Active Directory

Allows multiple servers to update zone data

Used to integrate with traditional DNS

Active Directory-integrated zones act as primary to traditional secondary zones
Combination

Zone Security Considerations

Secured dynamic updates in Active Directory Dynamic DNS updates from DHCP
DNS client dynamic updates

Zone permissions

Lesson 5: Designing Zone Replication and Delegation

Reasons for Designing Secondary Zones Zone Replication

Zone Transfers
Zone Delegation

Reasons for Designing Secondary Zones

Create a secondary zone when you want to:

Provide zone redundancy Reduce DNS network traffic

Reduce loads on a primary server for a zone

Zone Replication
Active DirectoryIntegrated Zones Traditional DNS Zones

Replication

Zone Transfer

Active DirectoryIntegrated Zone Active DirectoryIntegrated Zone

Primary Zone

Secondary Zone

Zone type
Active Directory integrated zone Traditional DNS zone

Replication options
Performing incremental replication between DNS servers Adjusting the Active Directory replication schedule Replicating between primary and secondary zones Performing an incremental rather than a complete zone transfer

Zone Transfers
Security options for zone transfers are:
Restricting zone transfers Securing zone transfers with VPN or IPSec Using Active Directory-integrated zones to

automatically secure replication

Reduce zone transfer impact by:

Using fast zone transfers to compress data Replicating outside of peak hours Using incremental zone replication

Zone Delegation

Provides the option of dividing the namespace into

one or more zones

Use additional zones when you have:

A need to delegate management of part of your DNS

namespace

A need to divide one large zone into smaller zones

Lab: Designing a Name Resolution Strategy in Windows Server 2008

Exercise 1: Designing a DNS Namespace Exercise 2: Designing a DNS Server Strategy

Exercise 3: Designing a DNS Zone and Replication

Strategy

Exercise 4: Discuss the Design of Name Resolution Exercise 5: Implement a DNS and Zone Replication

Strategy

Logon information

Virtual machine User name Password

NYC-DC1, NYC-XXX, and LON-DC1

Administrator Pa$$w0rd

Estimated time: 75 minutes