Module 6: Designing Name Resolution

Module Overview Collecting Information for a Name Resolution Design Designing a DNS Server Strategy Designing a DNS Namespace Designing DNS Zone Implementation Designing Zone Replication and Delegation

Lesson 1: Collecting Information for a Name Resolution Design Physical Location Considerations for a Name Resolution Design NetBIOS Resources

Physical Location Considerations for a Name Resolution Design TypePhysical location consideration Locations Number of locations Hosts Number of hosts at each location DNS servers Existence of any prior DNS servers Active Directory Existence of, or plans to include an Active Directory infrastructure Client computers Location of client computers in relation to a WINS server

NetBIOS Resources Identify systems and applications that rely on NetBIOS for name resolution, including:  Windows 98, Windows NT  Windows workgroups that do not implement Active Directory  Some applications and services Determine the impact of removing NetBIOS If NetBIOS is used by a critical application, continue to use WINS

Lesson 2: Designing a DNS Server Strategy How Clients Resolve Host Names Consideration for Placing DNS Servers DNS Server Roles Securing DNS Servers

How Clients Resolve Host Names Clients can use the following methods to resolve host names: DNS cache (includes contents of HOSTS file) DNS server NetBIOS name resolution methods DNS name resolution is controlled by: Root hints Caching Delegation Forwarding Conditional forwarding

Considerations for Placing DNS Servers For DNS server placement, consider: Network traffic over WAN links Availability, if a WAN link fails Redundancy, if a DNS server fails Client impact, if DNS is unavailable Application impact, if DNS is unavailable

DNS Server Roles RoleSituation Caching-only servers A remote office has a limited amount of available bandwidth Non-recursive servers You have Internet-facing DNS that are authoritative for one or more zones Forward-only servers You want to manage the DNS traffic between your network and the Internet Conditional forwarders You want DNS clients on separate networks to resolve each others’ names without having to query the DNS server on the Internet

Securing DNS Servers Options for securing Microsoft DNS servers: Firewalls, including Windows Firewall Restricting zone transfers Securing dynamic updates Active Directory Integrated zones Forwarding, to limit Internet name resolution

Lesson 3: Designing a DNS Namespace DNS Namespace Options Selecting DNS Namespace Option Hosting Options for DNS Guidelines for Designing DNS Namespaces

DNS Namespace Options Same Namespace Same Namespace Subdomain Unique Namespace Unique Namespace nwtraders.com nwtraders.localcorp.nwtraders.com nwtraders.com Internal Namespace Internal Namespace Internal Namespace Internal Namespace Internal Namespace Internal Namespace Public DNS Namespace

Selecting DNS Namespace Option Unique namespace:  Record synchronization is not required  Existing DNS infrastructure is unaffected  Clearly delineates between internal and external DNS Same namespace: Internal records should not be available externally Records may need to be synchronized between internal and external DNS Subdomain: Record synchronization is not required Contiguous namespace is easy to understand

Hosting Options for DNS External and internal DNS are hosted on separate servers One external server host resolves local records only One external server resolves non-local records only Split-Split DNS External and internal DNS are hosted on separate servers Internal DNS servers can forward Internet DNS requests Increased security over complete DNS Split DNS All internal and external on a single server Simple deployment DescriptionOption Complete DNS

Guidelines for Designing DNS Namespaces Carefully select your internal namespace before installing Active Directory Use an internal domain that is a sub-domain of the external domain, for simplicity Use unrelated namespaces if you cannot create your internal domain as a subdomain on the external domain Avoid using the same internal and external namespace

Lesson 4: Designing DNS Zone Implementation Selecting Zone Types Selecting Zone Data Location Zone Security Considerations

Selecting Zone Types Zone type Available disk locations Zone information Use this zone to: Primary Active Directory Replicated to other Active Directory- integrated zones Act as the point of update for the zone Have a read/write copy of the zone information Administer zone information separately File Transferred to secondary zone servers Secondary File Provides limited fault tolerance Have a read-only copy of the zone information Improve availability of primary zones Improve performance at local and remote locations Stub Active Directory Periodically queries the target zone name servers for updates Improve the efficiency of name resolution Simplify DNS administration File

Selecting Zone Data Location Used by Active Directory-integrated zones Automatic replication to all domain controllers Allows multiple servers to update zone data Active Directory Used to integrate with traditional DNS Active Directory-integrated zones act as primary to traditional secondary zones Combination Used by traditional primary and secondary zones Chosen for integration into existing infrastructure Does not require server to be a DC Disk

Zone Security Considerations Secured dynamic updates in Active Directory Dynamic DNS updates from DHCP DNS client dynamic updates Zone permissions

Lesson 5: Designing Zone Replication and Delegation Zone Replication Zone Transfers Zone Delegation

Zone Replication Performing incremental replication between DNS servers Adjusting the Active Directory replication schedule Active Directory – integrated zone Replicating between primary and secondary zones Performing an incremental rather than a complete zone transfer Traditional DNS zone Replication optionsZone type Active Directory–Integrated Zones Traditional DNS Zones Active Directory- Integrated Zone Primary Zone Secondary Zone Replication Zone Transfer

Zone Transfers Reduce zone transfer impact by: Using fast zone transfers to compress data Replicating outside of peak hours Using incremental zone replication Security options for zone transfers are: Restricting zone transfers Securing zone transfers with VPN or IPSec Using Active Directory-integrated zones to automatically secure replication